Re: "Send as" and SBS Domain Power User
- From: "Jan" <jan@.n.o.com>
- Date: Mon, 12 Dec 2005 23:36:37 +1100
Nathan,
as I said before, Domain Power Users group is not in any security tab in
exchange.
Since Domain Power Users are members of Mail Operators group, I checked
security settings of Mail Operators. There is no specific allow or deny
against "send as" for Mail Operators.
I don't want to start messing around with security settings on production
servers. I will try to adjust Mail Operators group "send as" to deny on our
test server tomorrow.
Regards,
--
Jan Wakulicz
www.micropol.com.au
""Nathan Liu [MSFT]"" <v-natliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:WutJODw$FHA.552@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Jan,
>
> Thanks for your quick update.
>
> Considering the current condition, since this issue occurs if we add a
> user
> to Domain Power Users group, let's perform the following steps to
> double-check these settings:
>
> 1. Open the Exchange System Manager, go to Servers -> ServerName -> First
> Storage Group, right-click "Mailbox Store" and select Properties, click
> Security tab, locate "Domain Power Users" entry and uncheck "Send As"
> permission or check the Deny "Send As" check box, then click Apply and
> click OK.
>
> I appreciate your time and cooperation. If anything is unclear, please
> feel
> free to let me know. I am looking forward to hearing from you.
>
> Best regards,
>
> Nathan Liu (MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
>
> --------------------
>>From: "Jan" <jan@.n.o.com>
>>References: <#5AjiMR$FHA.740@xxxxxxxxxxxxxxxxxxxx>
> <2NUcCbu$FHA.552@xxxxxxxxxxxxxxxxxxxxx>
>>Subject: Re: "Send as" and SBS Domain Power User
>>Date: Mon, 12 Dec 2005 19:11:55 +1100
>>Lines: 252
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>X-RFC2646: Format=Flowed; Original
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>Message-ID: <#dtZ6Ov$FHA.3872@xxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.sbs
>>NNTP-Posting-Host: 58.6.37.186
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:229464
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>
>>Hi Nathan,
>>
>>information you have provided describes expected behaviour. I have no
>>problem with that and fully understand how to set up delegates and level
> of
>>privileges they have.
>>
>>Now, I need to clarify where I see the problem.
>>1. I create NEW SBS user using standard user template.
>>2. This NEW user is NOT a delegate for any of the mailboxes on exchange.
>>3. At this stage NEW user cannot send on behalf or send as any other user.
>>4. As soon as I add NEW user to Domain Power Users group, NEW user can
> send
>>email from any mail box. Receiver of this email doesn't see "on behalf
> of".
>>Email looks like it came from user XXX or YYY or Administrator.
>>This is why I said that Domain Power Users seemed to have "send as" rights
>>to all mailboxes in SBS 2003 domain. Yet, this "send as" permission is not
>>visible anywhere in security properties of exchange objects.
>>I have tested this behaviour on three different SBS 2003 sites. I will try
>>on few more in days to come as time allows.
>>
>>I hope, this time I made my description clearer.
>>
>>Cheers,
>>--
>>Jan Wakulicz
>>www.micropol.com.au
>>
>>
>>""Nathan Liu [MSFT]"" <v-natliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>news:2NUcCbu$FHA.552@xxxxxxxxxxxxxxxxxxxxxxxx
>>> Hello Jan,
>>>
>>> Thank you for posting in the SBS newsgroup.
>>>
>>> First of all, my sincerest apologies for the delay in responding due to
>>> weekend, thanks for the understanding.
>>>
>>> Please kindly note the partner managed newsgroups are staffed weekdays
>>> by
>>> Microsoft Support professionals. Our goal is to provide a one business
> day
>>> response to all posts.
>>>
>>> For time critical issues (not business down), we encourage you to
>>> contact
>>> CSS directly for more immediate assistance:
>>> International Support (non-US/Canada):
>>> http://support.microsoft.com/common/international.aspx
>>>
>>> US and Canada:
>>> http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone
>>>
>>> To continue working with me in the newsgroups, please see the following:
>>>
>>> According to your description, I understand that you would like to
>>> figure
>>> out why email "Send on behalf" was appearing as sent by delegating user.
>>> If
>>> I have misunderstood the problem, please don't hesitate to let me know.
>>>
>>> I. As you mentioned, these email "Send on behalf" was appearing as
>>> sent
>>> by delegating user, please kindly refer to the following information to
>>> double-check if the delegating user has "Send on behalf" permissions:
>>>
>>> Grant "Send on behalf" permissions
>>> =====================
>>> If you grant a user "Send on behalf" permissions for another user's
>>> mailbox, that user can send mail on behalf of the mailbox owner. The
>>> name
>>> in the From box of these messages appears as From: DelegateUser on
>>> behalf
>>> of MailboxOwner
>>> where DelegateUser is the name of the user to whom you granted "Send on
>>> behalf" permissions and where MailboxOwner is the name of the user who
>>> owns
>>> the mailbox. There are two ways to grant a user "Send on behalf"
>>> permissions.
>>>
>>> To grant a user "Send on behalf" permissions for another user's mailbox
> on
>>> the server, follow these steps:
>>> 1. Click Start, point to Programs, point to Administrative Tools, and
> then
>>> click Active Directory Users and Computers.
>>> 2. In the console tree, click Users.
>>> 3. In the right pane, right-click the mailbox of MailboxOwner, and then
>>> click Properties.
>>> 4. Click the Exchange General tab, and then click Delivery Options.
>>> 5. Under Send on behalf, click Add.
>>> 6. Type the name of the DelegateUser, click Check Names to verify the
>>> name, and then click OK.
>>> 7. Click OK, and then click OK.
>>> 8. Quit Active Directory Users and Computers.
>>> To grant a user "Send on behalf" permissions for another user¡¯s mailbox
>>> on
>>> the client, follow these steps.
>>>
>>> In Microsoft Outlook 98 and in Microsoft Outlook 2000, follow these
> steps:
>>> 1. Start Outlook.
>>> 2. On the Tools menu, click Options.
>>> 3. Click the Delegates tab, and then click Add.
>>> 4. Select a user from the global address list, click Add, and then click
>>> OK.
>>> 5. In the permission list for Inbox, click Reviewer.
>>>
>>> Note This requires a minimum of Reviewer permissions. However, you can
>>> give
>>> a higher level of permissions if you want.
>>> 6. Click OK two times.
>>> In Microsoft Outlook 2002 and in Microsoft Office Outlook 2003, follow
>>> these steps:
>>> 1. Start Outlook.
>>> 2. On the Tools menu, click Options.
>>> 3. Click the Delegates tab, and click Add.
>>> 4. Select a user from the global address list, click Add, and then click
>>> OK.
>>> 5. In the permission lists for Calendar and Tasks, click None.
>>> 6. Click OK two times.
>>> For example, if you grant UserB "Send on behalf" permissions to UserA's
>>> mailbox, UserB can send messages on behalf of UserA. The From box in
> these
>>> messages appears as follows:
>>> From: UserB on behalf of UserA
>>>
>>>
>>> II. >> It is not clear to me why, but in SBS2003 domain, users that
>>> belong
>>> to Domain Power Users group automatically get "Send as" rights on all
>>> mailboxes!
>>>
>>> Please kindly note Domain Admins group doesn¡¯t have "Send as"
> permissions
>>> on all mailboxes, these are denied by default, so the Domain Power Users
>>> group also hasn't "Send as" rights on all mailboxes by default. Please
>>> kindly refer to the following information to double-check these
>>> settings:
>>>
>>> Grant "Send as" permissions
>>>
>>> If you grant a user "Send as" permissions for another user's mailbox,
>>> the
>>> DelegateUser can send mail as the MailboxOwner. The From box in these
>>> messages appears as follows:
>>> From: MailboxOwner
>>> To grant a user "Send as" permissions for another user's mailbox:
>>> 1. On an Exchange computer, click Start, point to Programs, point to
>>> Microsoft Exchange, and then click Active Directory Users and Computers.
>>> 2. On the View menu, click to select Advanced Features.
>>> 3. Expand Users, right-click the MailboxOwner object where you want to
>>> grant the permission, and then click Properties.
>>> 4. Click the Security tab, and then click Advanced.
>>> 5. In the Access Control Settings for MailboxOwner dialog box, click
>>> Add.
>>> 6. In the Select User, Computer, or Group dialog box, click the user
>>> account or the group that you want to grant "Send as" permissions to,
>>> and
>>> then click OK.
>>> 7. In the Permission Entry for MailboxOwner dialog box, click This
>>> Object
>>> Only in the Apply onto list.
>>> 8. In the Permissions list, locate Send As, and then click to select the
>>> Allow check box.
>>> 9. Click OK three times to close the dialog boxes.
>>> For example, if you grant UserB "Send as" permissions for UserA's
> mailbox,
>>> UserB can send messages that appear to be sent from UserA. The From box
> in
>>> these messages appears as follows:
>>> From: UserA
>>> Note If you grant a user both "Send as" and ¡°Send on behalf of¡±
>>> permissions, the "Send as" permission overrides the "Send on behalf of"
>>> permission.
>>>
>>>
>>> To get additional detailed information, you may refer to the following
>>> KB
>>> article:
>>>
>>> 327000 How to grant "Send as" and "Send on behalf" permissions in
> Exchange
>>> 2000 Server
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;327000
>>>
>>> I appreciate your time and cooperation. If anything is unclear, please
>>> feel
>>> free to let me know. I am looking forward to hearing from you.
>>>
>>> Best regards,
>>>
>>> Nathan Liu (MSFT)
>>> Microsoft CSS Online Newsgroup Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>> ======================================================
>>> This newsgroup only focuses on SBS technical issues. If you have issues
>>> regarding other Microsoft products, you'd better post in the
> corresponding
>>> newsgroups so that they can be resolved in an efficient and timely
> manner.
>>> You can locate the newsgroup here:
>>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>>
>>> When opening a new thread via the web interface, we recommend you check
>>> the
>>> "Notify me of replies" box to receive e-mail notifications when there
>>> are
>>> any updates in your thread. When responding to posts via your
>>> newsreader,
>>> please "Reply to Group" so that others may learn and benefit from your
>>> issue.
>>>
>>> Microsoft engineers can only focus on one issue per thread. Although we
>>> provide other information for your reference, we recommend you post
>>> different incidents in different threads to keep the thread clean. In
>>> doing
>>> so, it will ensure your issues are resolved in a timely manner.
>>>
>>> For urgent issues, you may want to contact Microsoft CSS directly.
>>> Please
>>> check http://support.microsoft.com for regional support phone numbers.
>>>
>>> Any input or comments in this thread are highly appreciated.
>>> ======================================================
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>>
>>>
>>> --------------------
>>>>From: "Jan" <jan@.n.o.com>
>>>>Subject: "Send as" and SBS Domain Power User
>>>>Date: Sat, 10 Dec 2005 09:51:44 +1100
>>>>Lines: 24
>>>>X-Priority: 3
>>>>X-MSMail-Priority: Normal
>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>>>X-RFC2646: Format=Flowed; Original
>>>>Message-ID: <#5AjiMR$FHA.740@xxxxxxxxxxxxxxxxxxxx>
>>>>Newsgroups: microsoft.public.windows.server.sbs
>>>>NNTP-Posting-Host: 58.6.37.186
>>>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>>>>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:229165
>>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>>
>>>>Recently we spent couple of hours trying to figure out why email "Send
>>>>on
>>>>behalf" was appearing as sent by delegating user.
>>>>We traced it down to the fact that user was a member of Domain Power
> Users
>>>>group.
>>>>
>>>>It is not clear to me why, but in SBS2003 domain, users that belong to
>>>>Domain Power Users group automagically get "Send as" rights on all
>>>>mailboxes!
>>>>On top of that this right (send as) is NOT visible in any of security
>>>>properties on exchange. By default not even Enterprise Admins have "send
>>> as"
>>>>permissions on exchange.
>>>>I have tested above on three different SBS2003 installations.
>>>>At this stage we don't know if other privileges get elevated beyond
>>> expected
>>>>for Domain Power User.
>>>>Until we get clear picture why this is happening, I will avoid putting
>>> users
>>>>into this specific group.
>>>>
>>>>Anyone care to comment?
>>>>
>>>>--
>>>>Jan Wakulicz
>>>>www.micropol.com.au
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
.
- Follow-Ups:
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- References:
- "Send as" and SBS Domain Power User
- From: Jan
- RE: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: Jan
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- "Send as" and SBS Domain Power User
- Prev by Date: Re: wireless connection
- Next by Date: Re: NNTP Feed
- Previous by thread: Re: "Send as" and SBS Domain Power User
- Next by thread: Re: "Send as" and SBS Domain Power User
- Index(es):
Relevant Pages
|
Loading
