Add "Send As" permission for shared mailbox exchange 2013

Question

I need to add "Send As" permissions for a shared mailbox in Exchange 2013, however I need to grant it on an AD Group. I've already added FullAcceess to the group via powershell and the command for adding the group to "Send As" works too, but some time after setting the permission it reverts to not set. This is the command I used: Get-Mailbox "name" | Add-ADPermission -User "group" -ExtendedRights "Send As"

The EAC shows, that the permissions were applied, but like an hour later they are gone. Am I doing something wrong or is it not possible to grant "Send As" to an AD group?

score 0 · Accepted Answer · answered Mar 22 '19 at 16:20

0

What kind of group is it?

Are any members or the group itself, a member of a protected group (Domain Admins, Administrators etc - full list here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory). If so, then Exchange will remove those permissions automatically.

answered Mar 22 '19 at 16:20

Sembee

2,884
1
8
11

Thank you! One of the users is an administrator, therefore I've added them manually. – Jörg H. Apr 01 '19 at 06:14

score 0 · Answer 2 · answered Mar 25 '19 at 07:03

Agree with Sembee.

This behavior seems to be related to protected group in AD.

To find all user objects in a domain that are protected by AdminSDHolder, type:

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

To find all groups in a domain that are protected by AdminSDHolder, type:

Get-ADGroup -LDAPFilter "(objectcategory=group)(admincount=1)"

If the groups are belonging to the protected group, the full access permission is delegated by modifying the security descriptor of a user object. Therefore, if the user/group is a member of a protected group, the change is overwritten in about one hour.

Add "Send As" permission for shared mailbox exchange 2013

2 Answers2