Re: "Send as" and SBS Domain Power User
- From: "Jan" <jan@.n.o.com>
- Date: Mon, 12 Dec 2005 19:11:55 +1100
Hi Nathan,
information you have provided describes expected behaviour. I have no
problem with that and fully understand how to set up delegates and level of
privileges they have.
Now, I need to clarify where I see the problem.
1. I create NEW SBS user using standard user template.
2. This NEW user is NOT a delegate for any of the mailboxes on exchange.
3. At this stage NEW user cannot send on behalf or send as any other user.
4. As soon as I add NEW user to Domain Power Users group, NEW user can send
email from any mail box. Receiver of this email doesn't see "on behalf of".
Email looks like it came from user XXX or YYY or Administrator.
This is why I said that Domain Power Users seemed to have "send as" rights
to all mailboxes in SBS 2003 domain. Yet, this "send as" permission is not
visible anywhere in security properties of exchange objects.
I have tested this behaviour on three different SBS 2003 sites. I will try
on few more in days to come as time allows.
I hope, this time I made my description clearer.
Cheers,
--
Jan Wakulicz
www.micropol.com.au
""Nathan Liu [MSFT]"" <v-natliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:2NUcCbu$FHA.552@xxxxxxxxxxxxxxxxxxxxxxxx
> Hello Jan,
>
> Thank you for posting in the SBS newsgroup.
>
> First of all, my sincerest apologies for the delay in responding due to
> weekend, thanks for the understanding.
>
> Please kindly note the partner managed newsgroups are staffed weekdays by
> Microsoft Support professionals. Our goal is to provide a one business day
> response to all posts.
>
> For time critical issues (not business down), we encourage you to contact
> CSS directly for more immediate assistance:
> International Support (non-US/Canada):
> http://support.microsoft.com/common/international.aspx
>
> US and Canada:
> http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone
>
> To continue working with me in the newsgroups, please see the following:
>
> According to your description, I understand that you would like to figure
> out why email "Send on behalf" was appearing as sent by delegating user.
> If
> I have misunderstood the problem, please don't hesitate to let me know.
>
> I. As you mentioned, these email "Send on behalf" was appearing as sent
> by delegating user, please kindly refer to the following information to
> double-check if the delegating user has "Send on behalf" permissions:
>
> Grant "Send on behalf" permissions
> =====================
> If you grant a user "Send on behalf" permissions for another user's
> mailbox, that user can send mail on behalf of the mailbox owner. The name
> in the From box of these messages appears as From: DelegateUser on behalf
> of MailboxOwner
> where DelegateUser is the name of the user to whom you granted "Send on
> behalf" permissions and where MailboxOwner is the name of the user who
> owns
> the mailbox. There are two ways to grant a user "Send on behalf"
> permissions.
>
> To grant a user "Send on behalf" permissions for another user's mailbox on
> the server, follow these steps:
> 1. Click Start, point to Programs, point to Administrative Tools, and then
> click Active Directory Users and Computers.
> 2. In the console tree, click Users.
> 3. In the right pane, right-click the mailbox of MailboxOwner, and then
> click Properties.
> 4. Click the Exchange General tab, and then click Delivery Options.
> 5. Under Send on behalf, click Add.
> 6. Type the name of the DelegateUser, click Check Names to verify the
> name, and then click OK.
> 7. Click OK, and then click OK.
> 8. Quit Active Directory Users and Computers.
> To grant a user "Send on behalf" permissions for another user¡¯s mailbox
> on
> the client, follow these steps.
>
> In Microsoft Outlook 98 and in Microsoft Outlook 2000, follow these steps:
> 1. Start Outlook.
> 2. On the Tools menu, click Options.
> 3. Click the Delegates tab, and then click Add.
> 4. Select a user from the global address list, click Add, and then click
> OK.
> 5. In the permission list for Inbox, click Reviewer.
>
> Note This requires a minimum of Reviewer permissions. However, you can
> give
> a higher level of permissions if you want.
> 6. Click OK two times.
> In Microsoft Outlook 2002 and in Microsoft Office Outlook 2003, follow
> these steps:
> 1. Start Outlook.
> 2. On the Tools menu, click Options.
> 3. Click the Delegates tab, and click Add.
> 4. Select a user from the global address list, click Add, and then click
> OK.
> 5. In the permission lists for Calendar and Tasks, click None.
> 6. Click OK two times.
> For example, if you grant UserB "Send on behalf" permissions to UserA's
> mailbox, UserB can send messages on behalf of UserA. The From box in these
> messages appears as follows:
> From: UserB on behalf of UserA
>
>
> II. >> It is not clear to me why, but in SBS2003 domain, users that
> belong
> to Domain Power Users group automatically get "Send as" rights on all
> mailboxes!
>
> Please kindly note Domain Admins group doesn¡¯t have "Send as" permissions
> on all mailboxes, these are denied by default, so the Domain Power Users
> group also hasn't "Send as" rights on all mailboxes by default. Please
> kindly refer to the following information to double-check these settings:
>
> Grant "Send as" permissions
>
> If you grant a user "Send as" permissions for another user's mailbox, the
> DelegateUser can send mail as the MailboxOwner. The From box in these
> messages appears as follows:
> From: MailboxOwner
> To grant a user "Send as" permissions for another user's mailbox:
> 1. On an Exchange computer, click Start, point to Programs, point to
> Microsoft Exchange, and then click Active Directory Users and Computers.
> 2. On the View menu, click to select Advanced Features.
> 3. Expand Users, right-click the MailboxOwner object where you want to
> grant the permission, and then click Properties.
> 4. Click the Security tab, and then click Advanced.
> 5. In the Access Control Settings for MailboxOwner dialog box, click Add.
> 6. In the Select User, Computer, or Group dialog box, click the user
> account or the group that you want to grant "Send as" permissions to, and
> then click OK.
> 7. In the Permission Entry for MailboxOwner dialog box, click This Object
> Only in the Apply onto list.
> 8. In the Permissions list, locate Send As, and then click to select the
> Allow check box.
> 9. Click OK three times to close the dialog boxes.
> For example, if you grant UserB "Send as" permissions for UserA's mailbox,
> UserB can send messages that appear to be sent from UserA. The From box in
> these messages appears as follows:
> From: UserA
> Note If you grant a user both "Send as" and ¡°Send on behalf of¡±
> permissions, the "Send as" permission overrides the "Send on behalf of"
> permission.
>
>
> To get additional detailed information, you may refer to the following KB
> article:
>
> 327000 How to grant "Send as" and "Send on behalf" permissions in Exchange
> 2000 Server
> http://support.microsoft.com/default.aspx?scid=kb;en-us;327000
>
> I appreciate your time and cooperation. If anything is unclear, please
> feel
> free to let me know. I am looking forward to hearing from you.
>
> Best regards,
>
> Nathan Liu (MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
>
> --------------------
>>From: "Jan" <jan@.n.o.com>
>>Subject: "Send as" and SBS Domain Power User
>>Date: Sat, 10 Dec 2005 09:51:44 +1100
>>Lines: 24
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>X-RFC2646: Format=Flowed; Original
>>Message-ID: <#5AjiMR$FHA.740@xxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.sbs
>>NNTP-Posting-Host: 58.6.37.186
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:229165
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>
>>Recently we spent couple of hours trying to figure out why email "Send on
>>behalf" was appearing as sent by delegating user.
>>We traced it down to the fact that user was a member of Domain Power Users
>>group.
>>
>>It is not clear to me why, but in SBS2003 domain, users that belong to
>>Domain Power Users group automagically get "Send as" rights on all
>>mailboxes!
>>On top of that this right (send as) is NOT visible in any of security
>>properties on exchange. By default not even Enterprise Admins have "send
> as"
>>permissions on exchange.
>>I have tested above on three different SBS2003 installations.
>>At this stage we don't know if other privileges get elevated beyond
> expected
>>for Domain Power User.
>>Until we get clear picture why this is happening, I will avoid putting
> users
>>into this specific group.
>>
>>Anyone care to comment?
>>
>>--
>>Jan Wakulicz
>>www.micropol.com.au
>>
>>
>>
>
.
- Follow-Ups:
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- References:
- "Send as" and SBS Domain Power User
- From: Jan
- RE: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- "Send as" and SBS Domain Power User
- Prev by Date: Re: RWW Problem
- Next by Date: Userenv errors in client application logs
- Previous by thread: RE: "Send as" and SBS Domain Power User
- Next by thread: Re: "Send as" and SBS Domain Power User
- Index(es):
Relevant Pages
|
Loading
