question

JohnpCurtiss avatar image
0 Votes"
JohnpCurtiss asked YukiSun-MSFT commented

exchange/outlook 2016 full control

ad user me@domain1.com has an on-prem exchange 2016 mailbox for me@domain1.com.

there's a one-way outgoing trust with domain2, i have an account me2@domain2.com, and my workstation running outlook 365 is in domain2.com. domain2.com's mail is exchange online. (domain2.com ad is azure-connected but also on prem).

i created the domain local ad group domain1\group1 in domain1, and added me2@domain2.com to it. then i used exchange shell in domain1.com to grant domain1\group1 full maibox permissions to the me@domain1.com mailbox.

on my domain2.com laptop logged in as me2@domain2.com, i can open outlook and see the me@domain1.com mailbox , but when i try to send something from that address, domain1.com's exchange servers bounce it back and say i don't have "send on behalf" permissions.

why do i need "send on behalf" permissions if i have "full control" permissions? i don't want to send on behalf anyway, because i don't want the mail to show up as "sent on behalf of". i just want to be logged in to the mailbox and "send as." what am i missing?

office-exchange-server-administrationoffice-outlook-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

YukiSun-MSFT avatar image
0 Votes"
YukiSun-MSFT answered YukiSun-MSFT commented

Hi @JohnpCurtiss,

why do i need "send on behalf" permissions if i have "full control" permissions?

By design, "Full Access" permission only allows the delegate to open the mailbox, and view, add and remove the contents of the mailbox. it doesn't allow the delegate to send messages from the mailbox. See the permission description in the document below:
Manage permissions for recipients

126983-1.png

i don't want to send on behalf anyway, because i don't want the mail to show up as "sent on behalf of". i just want to be logged in to the mailbox and "send as." what am i missing?

As per your requirement, you would need to grant domain1\group1 "Send As" permission to the me@domain1.com mailbox. The "Send As" permission allows the delegate to send messages without any indication, it looks as if they came directly from the mailbox or group:
126950-2.png


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1.png (12.8 KiB)
2.png (12.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"you would need to grant domain1\group1 "Send As" permission to the me@domain1.com mailbox."

turns out this is not an exchange permission that can be added with set-mailboxpermission, it's an ad permission that has to be added with add-adpermission, but add-adpermission is still an exchange powershell command, not an AD powershell command? so i need to have the right exchange permissions in order to connect to the exchange shell and get the "add-adpermission" cmdlet, and i also need the right AD permissions in order to update the AD account security. or i can just go into the aduc gui and edit the security of the account there to allow Send As.

0 Votes 0 ·

Hi @JohnpCurtiss

add-adpermission is still an exchange powershell command, not an AD powershell command?

Yes. As is mentioned in this document, the Add-ADPermission cmdlet is an Exchange powershell which is available only in on-premises Exchange. If you would like to use the Add-ADPermission cmdlet to add the Send as permission, you'll need to have the "Active Directory Permissions" which is by default included in the role group "Organization Management" and "Help Desk".

As per your query about doing it using the ADUC gui, based on my test, yes, we can assigning the Send As permission via ADUC assuming you have sufficient permissions(For example, you have the Domain Admin permission.) to do so. Steps I used are as follows:

  1. Open Active Directory Users and Computers(ADUC) on the Exchange Server.

  2. Go to the View menu and choose Advanced.

  3. Double click on the mailbox(group1) you need to configure Send As on to open the Properties dialogue box.

  4. Click the Security tab, click Add and select the users name(me) that you want to give Send As permission to.

  5. Check the Send As in the Permissions list. Click Apply and then exit.

127789-1.png


If an Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
1.png (55.2 KiB)

Hi @JohnpCurtiss

I am writing to see how everything is going on with this thread. Should you need more help on this, feel free to post back.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·