RE: Send As permissions getting overwritten
- From: v-natliu@xxxxxxxxxxxxxxxxxxxx (Nathan Liu [MSFT])
- Date: Fri, 08 Jul 2005 09:54:38 GMT
Hello Andrew,
Thank you for your update.
To troubleshoot this issue, please refer to the below information:
1. The issue should be caused that the users are members of the 'Domain
Power User' group, possibly that he has 'Power Users' template applied to
the users. The 'Domain Power User' is a sub-group of 'SBS Remote
Operators', and 'SBS Remote Operators' has the 'Deny Logon Locally' policy
setting from 'Default Domain Controller' GPO. That will cause the ACL
permission setting to be reverted.
I would suggest any of the following:
1) Apply the 'Users' template to the existing power users using the Change
User Permissions Wizard.
2) Remove 'SBS Remote Operators' from the 'Deny Logon Locally policy'
settings, re-apply the 'Power Users' templates to the user accounts.
2. This issue can occur if the problematic user a member of a Distribution
group that is a member of any of the following groups:
- Enterprise Admins
- Schema Admins
- Domain Admins
- Administrators
- Domain Controllers
- Cert Publishers
- Backup Operators
- Replicator Server Operators
- Account Operators
- Print Operators
So you may record the Distribution groups that the problematic user account
belongs to and then check if any of them are in one or more of the above
groups. If so you should alter the membership to avoid this issue.
Looking at Q319966 where depending on whether that group or the users are
members of AdminSDHolder, those permissions can be reset every hour:
319966 "You do not have sufficient permissions in the Domain" error message
http://support.microsoft.com/?id=319966.
For more information, you can also take a look at the following KB articles:
817433 Delegated permissions are not available and inheritance is
automatically
http://support.microsoft.com/?id=817433
318180 AdminSDHolder Thread Affects Transitive Members of Distribution
Groups
http://support.microsoft.com/?id=318180
I am appreciated your time and cooperation. If anything is unclear, please
feel free to let me know. I am looking forward to hearing from you.
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Send As permissions getting overwritten
>thread-index: AcWDbtxHs/x+tBKVSXuRBNyKtM2EZA==
>X-WBNR-Posting-Host: 151.203.21.70
>From: =?Utf-8?B?QW5kcmV3IENvaGVu?= <AndrewCohen@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <F208199A-B6ED-41F2-81B9-FBEFBAB650BC@xxxxxxxxxxxxx>
>Subject: RE: Send As permissions getting overwritten
>Date: Thu, 7 Jul 2005 20:41:01 -0700
>Lines: 28
>Message-ID: <7C9918D4-457C-46A7-AB77-C05F25E415D8@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:133969
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>I've set up the security auditing as you've specified, but I'm not sure
>exactly what I should be looking for. Can you give me specific event or
>activity that I should be looking for?
>
>The exact symptoms are that I go in and apply the security settings as
>specified in KB 327000. Specifically, I'm adding two users with Send As
>permission via Advanced setting on the Security tab of the user I want
them
>to be able to send as for. If I wait a couple of hours or restart the
>Exchange server, these two users are able to Send As. However, if I then
>wait a while longer, not sure exactly how long, the two entries that I
added
>to the Security object simply disappear as if somebody went in and deleted
>them. there's obviously some policy that's overwriting them, I just don't
>know which.
>
>Thanks,
>
>
>
>"Andrew Cohen" wrote:
>
>> I'm trying to setup User A to have the ability to Send As (not on
behalf of)
>> User B. When I implement the directions as specified in MS KB327000
>> (http://support.microsoft.com/default.aspx?scid=kb;en-us;327000), I'm
able to
>> get it to work for a little while. However, after about 2 hours or so,
the
>> Send As permissions that I set for User B are completely wiped out. My
guess
>> is that there's some kind of recipient or user policy that is
overwriting the
>> change that I make. I am however unable to figure out how to change
this if
>> in fact that's what's happening. Any ideas?
>
.
- References:
- Send As permissions getting overwritten
- From: Andrew Cohen
- RE: Send As permissions getting overwritten
- From: Andrew Cohen
- Send As permissions getting overwritten
- Prev by Date: Re: Six O' Clock Slowdown
- Next by Date: RE: Terminal server, bdc setup
- Previous by thread: RE: Send As permissions getting overwritten
- Next by thread: OWA Problems, continued
- Index(es):
Relevant Pages
|
