Re: Send As permissions set on all users, need to remove!

Hi Rich,

Again thank you for helping.

I am following your advice and have removed the deny send as from the
security group I created, in hopes that we can resolve this.

I also read the article, http://support.microsoft.com/kb/912918/, you
referred to, and don't understand how it relates to my issue...can you
explain further?

I have also installed MS06-029 security fix, twice, and the build still
reports as Version 6.5 (Build 7638.2: Service Pack 2), not sure what is
going on there.

As far as where I checked the permissions: AD in the default users OU
as well as in Exchange at all levels, after doing the showsecuritypage
reg tweak...are there other places I should be looking?

Michael Pitfield

Rich Matheisen [MVP] wrote:
"Michael P" <michael@xxxxxxxxxxxxxxxxxxx> wrote:

As a temporary work around I created a Security Group named "Security
- Mail Send As", then added the group to the top level of the
Exchange Server with deny send as permissions, I then added all of the
applicable users.

You really shouldn't do that. You'll cause problems for those users
(e.g. they probably can't assign a task to someone else).

I read the article you're referring regarding the change in "Full"
permissions, and possibly misread it thinking it didn't apply to
me...please advise.

The change was to the way Exchange determines if the Send As right
should apply to the user. Read this KB article for (alot) more
information:

http://support.microsoft.com/kb/912918/


Version 6.5 (Build 7638.2: Service Pack 2)

You haven't installed the MS06-029 security fix. IIRC, that would have
moved you to 6.5.7650.28.

I also checked the permissions on the "Everyone" and "Authenticated
Users" groups and they are ok.

Where did you check? With the build of store.exe you're running you
can inherit permissions (incorrectly) from the Exchange objects (in
the Configuration naming context), or you can inherit them from
"normal" inheritence in the Domain naming context.


--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx

.

Relevant Pages

  • RE: Exmerge errors
    ... To do this open regedit on the system you are administering Exchange ... A Deny does overrule an allow IF they are both inherited. ... An explicite allow at the store level will over-ride the inherited Deny. ... I cannot see where or how to override these permissions. ...
    (microsoft.public.exchange.admin)
  • Re: Best practices for groups?!
    ... Some distribution groups have been turned into security groups by using ... We have used the DL for file permissions, with GG as member, and then ... such as if you are an Exchange admin without AD ...
    (microsoft.public.windows.server.active_directory)
  • Re: Messed up Administrator permissions
    ... Actually Exchange does an explicit Deny to all members of Domain Admins. ... Create a different account for doing ExMerge and grant it permissions on the ... server or on the mailbox store object. ...
    (microsoft.public.exchange.admin)
  • Re: Cant give distribution list rights for an Exchange 2003 Public Folder
    ... I thought Exchange 2000/3 automatically made distrubution groups security ... groups when assigning public folder permissions. ... >> We are having problems giving Distrbition Lists permissions to Exchange ...
    (microsoft.public.exchange2000.admin)
  • Re: Trouble understanding how Exchange uses groups
    ... MVP - Exchange ... mailbox-enabled objects in Active Directory and has no security ... in the permissions tab of the folder I can *only* select ... or groups from the GAB. ...
    (microsoft.public.exchange.admin)