Send As permissions reset daily
I have several users that have given Send As permissions to other users. Every day I have to try to get into the system to remove the Domain Users group from the Administrators group within the Builtin OU. If I don't get this done in time (varies daily but is usually by around 8:30 or 9:00) the users with Send As permissions are automatically removed from the user accounts I have them set up in. I also have to keep ADUC open on the server or the settings often reset later in the day, even after I have reset them in the morning. If I leave the ADUC window open during the day, the settings appear to stay applied. I have not tried leaving ADUC open overnight and into the next day as I make these changed from a RDC from my desktop to the server and I reboot my workstation nightly.I am tired of having to perform these steps daily as my list of users that allow this right has grown and it takes me several minutes to make all the necessary additions. I have searched all over the web for a fix and have verified many times that the standard items to check are not the cause. I am desperate for a fix to allow these settings to be applied once and stay there until manually removed.I am using Exchange Server 2003 Service Pack 2 on aDell server running Windows Server 2003 Service Pack 2.
October 14th, 2009 10:06pm
Why is the domain users group part of the Administrators group?You are running into a known issue:http://support.microsoft.com/kb/907434"The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server"You need to remove domain users from the administrators group ( and any other "protected groups" and reneable inheritance on those accounts. The article and links within it explain more.Elevated accounts should not be mail-enabled.
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2009 2:03am
there's a guy posting over on the windows forum "why do my user accounts keep losing access to the domain controllers". every morning between 8:00 and 8:30 i have to log in and add the domain users group back to the builtin\administrators group on the systems. wtf, why does this keep disappearing.
October 16th, 2009 7:32am