Monday, October 29, 2007

Granting "Send As" rights in Exchange 2007

Many times it is necessary to grant a service account the ability to open a users mailbox and/or send email as that user.  Products that tightly integrate with Exchange like Blackberry Enterprise Server (BES), Quest Archive Manager (QAM), and many others need this in order to function properly.  This is accomplished by granting the service account the "Full Mailbox Access" and "Send As" rights for all mailboxes in the organization (assuming the application in question is to be rolled out enterprise-wide).

For those that are unclear, it is critical to understand the difference between "Send As" and "Send on Behalf Of".  "Send As" allows a user to "impersonate" another user and send email as the other user.  For example, if User A is granted "Send As" rights to User B's mailbox, then User A is able to send messages directly as User B and means that the recipient of the message will think that User B has sent the message, even though it was actually User A that sent it.  The "Send As" right can only be done by an administrator; a user cannot grant the "Send As" right to another user.

"Send on Behalf Of" allows a user to send email from another user's mailbox, but the sending user is not impersonated.  For Example, if User A is granted "Send on Behalf Of" rights to User B's mailbox, then User A is able to send message from User B's mailbox and the recipient would receive a message that is from "User A on behalf of User B".  By looking at the "From" field in the email, it is always very clear who is sending the message.  Like "Send As", the "Send on Behalf Of" right can be granted by an administrator, but unlike "Send As", "Send on Behalf Of" can also be established by the end user.  Through the Outlook client, a user can grant another user the ability to send on behalf of them.

For more information on granting "Send As" in an Exchange 2003 environment, or granting "Send on Behalf Of" permissions, check out this tutorial from

Now back to the problem at hand...

"Full Mailbox Access" and "Send As" rights can be granted on a single mailbox (or batch of mailboxes) with the following PowerShell cmdlets (using User A and User B from the examples above):

Add-MailboxPermission UserB -AccessRights FullAccess -user UserA

Add-ADPermission UserB -ExtendedRights Send-As -user UserA

Note that granting "Full Mailbox Access" does not include the "Send As" permission; "Send As" must be explicitly granted.

The problem with this method is that even if the script is such that it will grant the appropriate rights on all mailboxes in the environment, this will not automatically grant the rights to the service account for new mailboxes and the script must be re-run on a regular basis.  For message archival applications in particular this is a problem as some data may be missed because the service account was unable to access the mailbox.  So you must use a method to grant the required permissions automatically.

A personally recommended best practice is to create a group that has the "Send As" rights in Exchange and add the appropriate user accounts to that group.  Because there is risk with any account that has these rights to your entire Exchange organization, those account must be as secure as possible and the membership of that group must be controlled and monitored tightly.

To grant the required permissions, follow these steps:

  1. At the command prompt, type ADSIedit.msc. This requires the Windows Server 2003 Support Tools.
  2. In the Action menu, select Connect to…
  3. Select the Select a well known Naming Context radio button.
  4. Select Configuration from the drop-down list.
  5. The Default (Domain or server that you logged in to) radio
    button is selected. Leave this button selected if the machine you are
    logged in to is in the same domain as the Exchange 2007
    organization. If the machine you are logged in to is in a different
    domain, select Select or type a domain or server and enter the
    domain controller name.
  6. Click OK to return to the ADSI Edit window.
  7. Select the Configuration node that contains the name of the domain
    controller that holds your Exchange 2007 organization.
  8. Navigate to CN=Services | CN = Microsoft Exchange |
    CN=”Your Exchange Organization”
  9. Right-click the organization node and select Properties.
  10. Select the Security tab and click Advanced.
  11. Click Add, and select the appropriate user or group.
  12. In the Permission Entry window, ensure that Apply Onto is set to This object and all child objects.
  13. Check the box for Full Control in the Allow column.
  14. Click OK to add the entry, and click OK to exit the windows.
  15. Close ADSIedit.

Be very sure that the accounts you use are not also in any groups which are denied "Send As" rights, or you will still be denied.  By default, the Domain Admins, Enterprise Admins, and Exchange Organization Administrators groups are denied "Send As" rights (and should be kept that way).

1 comment:

Anonymous said...

Keith, great article, and my thoughts exact. Was MS thinking when they did away with the granular delegation capabilities? Are they looking to dumb down the Exchange Admin culture? The answer is YES!
Luckily ADSIedit still works.