I recently came across a problem where Send As permissions were disappearing from a customers exchange server on their Small Business Server 2011 every hour or so.
I would constantly re-add the permissions, thinking I had done something wrong, only to find they had disappeared later.
It is a common problem with most people saying that the user is part of a protected group, such as Administrators, but they never stated if it was the source or the destination user that needed (or didn’t need to be) removed from the protected group.
You need to remove the Mailbox that is being shared from the protected groups. It can get very confusing.. in my case the user was a member of the Administrators group but the user was also a member of “Custmer Services” group which in turn was also a member of Administrators! So I had several attempts before working out that the user was still being included as part of the Administrators.
For example if you are sharing “Customer Services” mailbox and send as permissions with other users in your organisation you will need to remove the “Customer Services” user from a protected group.
I found that removing the user from the protected groups was not enough. A lot of sites also suggested editing the adminCount to 0… without explaining how!
I’ve taken screenshots to help others:
Firstly remove the user(s) from protected groups such as
Then you need to run ADSIEdit on the domain controller. I found I couldn’t just Start –> Run this command.. I had to load Command Prompt (cmd) first.
Then, if the tool hasn’t been used before, connect to your Domain Controller.
In my case I didn’t have to change anything in the Connect To.. box.. I just clicked ok!
The next screen isn’t too easy to navigate. I found that the + and – navigation boxes didn’t appear until you clicked on each section in turn. The + would then appear and you could drill down into the next folder. Find the user(s) in question (for example, the account you are sharing and wanting to send as) and right click on them. Select properties.
Click on adminCount and click edit (or just double-click).
Change it to 0…
Click OK to apply the Integer Attribute Change.
Click OK to apply and save the user properties.
Re-apply your send as permissions and wait and see if it is solved!
You can force the security updater to run by pasting this script into powershell:
# Requires/imports ActiveDirectory module Import-Module ActiveDirectory $PDC = Get-ADDomain | select -ExpandProperty PDCEmulator $Temp = "c:\temp\temp.txt" write-host $temp Set-Content -Path $Temp -Value @' dn: changetype: modify add: runProtectAdminGroupsTask runProtectAdminGroupsTask: 1 - '@ ldifde -i -f $Temp
The above script comes thanks to this site.
Then re-check the send as permissions screen.
I also found that the domain in question was _still_ removing the send as permissions and somehow adding users back into administrative groups! This would happen about once a day. I tracked it down to a historic and crazy group policy: