Disappearing Send As Permissions on SBS2011 / Exchange 2010

I recently came across a problem where Send As permissions were disappearing from a customers exchange server on their Small Business Server 2011 every hour or so.

Image

I would constantly re-add the permissions, thinking I had done something wrong, only to find they had disappeared later.
It is a common problem with most people saying that the user is part of a protected group, such as Administrators, but they never stated if it was the source or the destination user that needed (or didn’t need to be) removed from the protected group.

You need to remove the Mailbox that is being shared from the protected groups. It can get very confusing.. in my case the user was a member of the Administrators group but the user was also a member of “Custmer Services” group which in turn was also a member of Administrators! So I had several attempts before working out that the user was still being included as part of the Administrators.

For example if you are sharing “Customer Services” mailbox and send as permissions with other users in your organisation you will need to remove the “Customer Services” user from a protected group.

I found that removing the user from the protected groups was not enough. A lot of sites also suggested editing the adminCount to 0… without explaining how!

I’ve taken screenshots to help others:

Firstly remove the user(s) from protected groups such as
Enterprise Admins
Schema Admins
Domain Admins
Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Cert Publishers

Then you need to run ADSIEdit on the domain controller. I found I couldn’t just Start –> Run this command.. I had to load Command Prompt (cmd) first.

Image

Then, if the tool hasn’t been used before, connect to your Domain Controller.

Image

In my case I didn’t have to change anything in the Connect To.. box.. I just clicked ok!
The next screen isn’t too easy to navigate. I found that the + and – navigation boxes didn’t appear until you clicked on each section in turn. The + would then appear and you could drill down into the next folder. Find the user(s) in question (for example, the account you are sharing and wanting to send as) and right click on them. Select properties.

userproperties

Click on adminCount and click edit (or just double-click).

Image

Change it to 0…

Image

Click OK to apply the Integer Attribute Change.

Click OK to apply and save the user properties.

Re-apply your send as permissions and wait and see if it is solved!

You can force the security updater to run by pasting this script into powershell:

# Requires/imports ActiveDirectory module
Import-Module ActiveDirectory
$PDC = Get-ADDomain | select -ExpandProperty PDCEmulator           
$Temp = "c:\temp\temp.txt"           
write-host $temp
Set-Content -Path $Temp -Value @'
dn:
changetype: modify
add: runProtectAdminGroupsTask
runProtectAdminGroupsTask: 1
-
'@            
ldifde -i -f $Temp

The above script comes thanks to this site.

Then re-check the send as permissions screen.

Edit:

I also found that the domain in question was _still_ removing the send as permissions and somehow adding users back into administrative groups! This would happen about once a day. I tracked it down to a historic and crazy group policy:

grouppolicyresettinggroupmembership[1]

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Disappearing Send As Permissions on SBS2011 / Exchange 2010

  1. RC says:

    I am having the same problem. I followed your instructions *, but it still removes the users in a short time. I noticed the Users properties in question shows 3 Administrator groups from when viewed from EMC. This seems to be a view only interface. When I check from SBS management console he has no Admin groups? I did zero out administrator from ADST Edit as per your instructions. On the other had I could not find the Group Policy Management Editor. This SBS 2011 Std server has Group Policy Management Console and has an entirely different Tree structure there is no Restricted C… any where in GPM console I could find. Please let me know if you have any suggestions or ideas on how to get this working.
    Thank you,
    RC

    * I did not run the update script , just waited long enough for it to renew on its own.)

  2. The route to the final screenshot on the article is..
    Start –> Admin Tools –> Group Policy Management.
    + next to Forest
    + next to domains
    + next to your domain.local
    + next to Group Policy Objects

    Then right click and edit each one until you find the one that might contain the rouge setting.

  3. RC says:

    Update , Space the final frontier… I found GPM Editor same as on a workstation , but there is no Restricted C listed like in your screen shot. Is it possible this is a custom policy? Also I left the Administrator account disabled, as suggested, during setup in case that makes a difference.
    Thanks

  4. RC says:

    Still no joy with finding the Restricted (is it Group?) I searched the whole thing.
    I did figure out how to remove the Administrator Groups I saw in EMC. In case someone else needs to know its in GPM under Microsoft Exchange Security Groups > Windows SBS User Policy. I then confirmed in EMC that the groups have been removed. Now waiting to see if the Send As users will stick this time.

  5. RC says:

    Update
    Its working now! Removing the Admin groups from the users profile in Microsoft Exchange Security Groups as mentioned above did the trick.
    Thanks for you help

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s