Announcement

Collapse
No announcement yet.

Problem with "send as" permission.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with "send as" permission.

    Hi,

    I configured a global group and gave it the send as permission on a mailbox. It worked for a day, and the next day the group disappeared from security tab. It was like i never configured it.

    I did reconfigure it and people were now able to send as. Next day, same thing, the group disappeared from the security tab. I'm guessing there are some sort of policy overriding the changes made in the security tab or something like this.

    Anyone who could help on this one ?

    Best regards,

    trep

  • #2
    Re: Problem with "send as" permission.

    I suspect it is a "known" issue with Exchange where (IIRC) domain admins and similar cannot be given Send As permission, and if given it, it is removed every hour

    It normally affects Blackberries and this link may help you fix it
    http://na.blackberry.com/eng/support...are/sendas.jsp
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Problem with "send as" permission.

      Thanks for the link, we indeed use a BES. Though, one of our client has SBS2003 and no blackberries and have the same issue. I will still try what is described in the link for us and see if it works.

      trep

      Comment


      • #4
        Re: Problem with "send as" permission.

        This isn't an "issue" - this behaviour is by design (to use a Microsoft phrase).

        Every hour, an internal AD process called AdminSDHolder visits all the "Privileged" groups and sets their permissions (and those of their members) to those specified in the AdminSDHolder object in the AD. This is to prevent someone using custom permissions to allow themselves elevated rights in an AD domain. It IS possible to grant administrators the "SendAs" right; however this tramples all over Microsoft Best Practice recommendations regarding separation of roles and functions; to use Email and productivity applications, a person should log in using his "Humble" user ID, and he should only use his "admin" ID for system administration tasks such as user account management and so on. A person with elevated rights on the account he uses for day-to-day document work presents a security risk to the business.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Problem with "send as" permission.

          Excellent, now is there a way to get around this ? I mean, there are probably like 10000 webpages saying how to grant send as permissions, yet i haven't seen anyone reporting my problem. I'm guessing this is working for 99% of them, so there must be a way to give a domain user the right to send as without having to reconfigure it everyday hehe. I tought about a vbscript, but i don't like the idea...

          Bets regards,

          trep

          Comment


          • #6
            Re: Problem with "send as" permission.

            Originally posted by trep View Post
            Excellent, now is there a way to get around this ? I mean, there are probably like 10000 webpages saying how to grant send as permissions, yet i haven't seen anyone reporting my problem. I'm guessing this is working for 99% of them, so there must be a way to give a domain user the right to send as without having to reconfigure it everyday hehe. I tought about a vbscript, but i don't like the idea...

            Bets regards,

            trep
            You misread what I said. A Domain User can "Send As". A Domain Admin, Account Operator, Print Operator, Server Operator or Backup Operator (i.e. the "Privileged Users" I mentioned) cannot because AdminSD Holder will remove their permissions to do it - in accordance with Microsoft Best Practice.

            Also in accordance with Microsoft Best Practice, you should give your "Privileged" staff two user accounts; an "Admin" account to do their system administration tasks, and a "Humble" account with no privileges to do their more mundane tasks. They should use their "Humble" account to open Microsoft Outlook. Grant their "humble" account the "Send As" right where it's needed and you won't have a problem.

            Now - if I have misread what YOU said (or if you miswrote it) and your DOMAIN USERS (i.e. humble accounts) get the permissions stripped from them every hour, then someone has been messing with the permissions on the AdminSD Holder object using ADSIEdit and you will need to put it back to defaults. Do a search on the Microsoft Knowledge Base for this but BE CAREFUL - ADSIEdit is about the most powerful and therefore dangerous tool you will EVER USE as a system administrator on Microsoft AD systems.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: Problem with "send as" permission.

              p.s. Allowing "Send As" has legal implications which cannot be ignored - imagine the PA who can "Send As" the Exec - the exec is a bully and needs to be taught a lesson... or imagine the budding cupid who sends a love note from his buddy to a girl in the office and she cries sexual harrassment. These are examples I have actually observed in real life. Send on Behalf Of is far, far safer.


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: Problem with "send as" permission.

                Thanks for the info !

                This is basically why i really don't like playing around with ADSIEdit hehe. Actually, i probably miswrote.

                I've created a new Security Group. This group is not member of any other groups in AD. To this group, i've added some users. Some are domain admins, some are domain users. I've granted this group the permission "send as". Yet, the permissions are being removed everyday (not every hours). Like, i set everything up this morning around 9 and it's been there the whole day. I'm guessing that tomorrow, everything will be removed.

                Best regards,

                trep

                Comment


                • #9
                  Re: Problem with "send as" permission.

                  In that case I would set up auditing on this group and examine the security event logs on DCs to see what caused it. However; I stand by my earlier message regarding safety and protection of employees. Send As is bad bad bad.


                  Tom
                  For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                  Anything you say will be misquoted and used against you

                  Comment


                  • #10
                    Re: Problem with "send as" permission.

                    Well, I'm probably not taking the right path to do wathever i want to do hehe.

                    Basically, we have a team of people sending out reports. So i've created a mailbox called [email protected]. I wanted the group of people to send out the reports, all with the same email address. This would prevent people from replying directly to them and having their personal email address. I tought that using the "send as" thing was the best way to do it. Looking forward to do this the secure and microsoft way

                    Best regards,

                    trep

                    Comment


                    • #11
                      Re: Problem with "send as" permission.

                      So - you're allowing multiple users to send as ONE address; that is just about the right side of the "Send As" line - and I think I would allow it. For some reason I understood from your post that you wanted to allow everyone to "Send As" a whole bunch of other people. If they're sending "As" a group mailbox, that's acceptable as no other human being is implicated.

                      However there's one small management process you could put in place; there should be a way of telling who sent it without the possibility of interference or falsification by others - and I can't think of an easy way of doing it. Jane could "Send As" Domain Reports and sign it "Phil" - so that the report she's put together (which contains all her mistakes) is attributed to Phil.

                      Idea: It should be possible to create an Outlook VBA "On Send" event driven script for each user which puts a secret modification in the mail header as it's sent which is unique to each user and not known to any of them. This could then be traced later in the event of the address being used for "bad stuff" - sexual harrassment etc. It would also be backed up by the transaction logs in Exchange but it's a big job to investigate that - this little script (if only someone would write it) would make tracing such skulduggery a lot easier.


                      Tom
                      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                      Anything you say will be misquoted and used against you

                      Comment

                      Working...
                      X