Sysadminsblog.com Anything for sysadmins!

25Aug/108

Send as distribution group

In the Exchange GUI there’s no option to provide someone the send-as permission on a distribution group. To do this you’ll have fire up the Exchange Management Console.

Command:
[Powershell]Add-ADPermission <distribution group> -ExtendedRights Send-As -User <user> -AccessRights ExtendedRight | fl[/Powershell]

Output:
User: domain.local\<username>
Identity: domain.local/Distribution Groups/<distribution group>
Deny: False
AccessRights: {ExtendedRight}
ExtendedRights: {Send-As}
IsInherited: False
Properties:
ChildObjectTypes:
InheritedObjectType :
InheritanceType: All

You can use the Get-DistributionGroup command to pipe distribution groups to the Add-ADPermission command.

[Powershell]Get-DistributionGroup <distribution group name> | Add-ADPermission -ExtendedRights Send-As -User <user> -AccessRights ExtendedRight | fl[/Powershell]

Note: The settings need to propagate through the Exchange server’s cache. This can take up to 2 hours. Until this time when you try to send from the distribution list, you’ll get a message back stating that it’s not allowed to send as this distribution list. You can force an update by restarting the Information Store, however the mailboxes will be unavailable until the service has restarted.

Be Sociable, Share!

Posted by Mischa Oudhof

Comments (8) Trackbacks (0)
  1. hi to all at http://www.sysadminsblog.com i thought i had sent this newyears eve but it didnt send so i have sent it again happy new year to every one
    – matty g

  2. Hi There,

    I am becoming increasingly frustrated with setting the ‘send as’ permissions for users to send as a distribution group which they are a member of. I’ve tried everything! I’ve tried through EMC, AD and SBS08 Console but nothing seems to work.

    Very strange as I have changed other distribution group security permissions to add a user and assign the appropriate permissions and these work fine. That is a user can place the distribution group in the ‘From’ box in MS Outlook and send mail with no problems.

    I have also tried using the code below through the Exchange Management Shell and receive the same result stating that the user already has permissions. I’ve also tried resetting the information store service but nothing seems to work. We are running SBS 2008 and MS Exchange 2007.

    Any help would be greatly appreciated!

    Get-DistributionGroup | Add-ADPermission -ExtendedRights Send-As -User -AccessRights ExtendedRight | fl

    Many Thanks,
    Adam

  3. I should also mention that we undertook a migration from Exchange 2003 some time ago. It appears that the distribution groups which were migrated appear to work. But when a create a new distribution group the ‘send as’ permissions will not work. Very strange as I’ve looked at every detail of each distribution group to see if there are any differences and I can’t find any!?

    Again any help would be very much appreciated!

    • I’m kind of confused. Do you have any distribution groups that work with the send as permission? Do only distribution groups that migrated from Exchange 2003 work with the send as permission, or just the newly created ones? If it’s just working on the migrated distribution groups please let me know how you migrated them.

      Did you give it enough time to propagate through the Exchange permissions cache? Restarting the Information Store should force this, but I usualy tell people to give it a day to propagate just to be sure, even if it should be done after 2 hours.

      • Hi Mischa,

        Thanks for your reply. Yes the distribution groups which were migrated from the old Server (Exchange 2003) all work with the send as permissions. However the newly created ones will not work for some reason.

        I’m not IT savvy enough to explain how the method of migration, it was carried out by our old IT company and occurred over a year ago. Perhaps if you tell me the different methods, I could make inquiries with our current IT company? Although they can not resolve this issue either which is frustrating!

        Yes I have given it hours, days and weeks of time to propagate as well as restarting the Information Store service so I’m stumped! Love to find a solution for this!

        • There are a couple of things that might be causing this:

          1. There might be a deny ACL on the distribution groups (or the OU)
          You can set the permission to Send As, but the deny that might be specified on the OU or directly on the DL will take precedence. To check this, you’ll can run the command Get-ADPermission name | Out-GridView. The Out-GridView is just to easily display it, but it might not be installed. Just check if there’s any entry that has True in the deny column.

          2. The permissions might be reset after an hour
          There are groups that are marked as Critical. These groups get their permissions reset every hour to make sure that you don’t break any important AD functionality that can’t be restored. Check the permissions in AD after an hour to make sure that the Send As permission is still there.

          3. Send-on-behalf is conflicting
          Please check if the group also has entries in send-on-behalf. You can do this with the command Get-DistributionGroup name | select GrantSendOnBehalfTo

          If that’s not it, please answer the following to give me a better understanding of the setup.
          – What is the Group Scope and Group Type?
          – Is the Exchange 2007 running on the SBS2008 server or is it on a seperate server?
          – If it’s on the SBS2008 server, is it a seperate install or part of SBS2008 suite?

          If you think these questions are too intrusive to put in a comment, you can email the answers to mischa.oudhof@.

    • Adam, U cannot use Distribution group to “secure anything” !!!
      thats why mailEnabled security groups scenarios worked and distribution groups didn´t. 🙂

  4. Hey Mischa,

    Sorry for my belated reply, I can’t believe how long it’s been since I resorted to this forum! Needless to say I still have the same issue 🙁

    I have tried step 1 and there were no trues in the ‘deny’ column

    Step 2 I have already checked in the past and re-confirmed it now that the send as permissions are maintained i.e. they are not reset.

    Step 3 only returned a result of which I’m guessing means there are no send-on-behalf entries for this group (which there are not).

    To answer your next questions, this is a document control group with a mixture of normal users and power users as members. (we have another document control group which works fine with send as permissions as I mentioned in earlier correspondence)
    Yes Exchange 2007 is running on the SBS2008 server. How can I tell if it is a separate install? I’m guessing it is as they are separate applications, I tried to attach a screenshot for you but it wouldn’t work. Your email was also cut off so I couldn’t send you an email?

    I appreciate your time and hope you can still help.


Leave a comment

No trackbacks yet.