Re: "Send as" and SBS Domain Power User
- From: v-natliu@xxxxxxxxxxxxxxxxxxxx ("Nathan Liu [MSFT]")
- Date: Tue, 13 Dec 2005 07:41:20 GMT
Hi Jan,
Thank you for your kind update.
Considering the current condition, please use Dsacls utility to dump a list
of permissions of Mailbox Store and send the file to my mailbox:
v-natliu@xxxxxxxxxxxxxx I will check to see whether all they are correct.
To do so, please refer to the following steps:
1) Install Windows Support Tools from SBS 2003 CD2.
2) Go to the DOS prompt.
3) Type the following command:
Dsacls "DN of Mailbox Store" >c:\dsacls.txt
4) To obtain the DN of Mailbox Store, please run ADSIEdit.msc and locate
the Mailbox Store object. Following is the example:
"CN=Mailbox Store (ComputerName),CN=First Storage
Group,CN=InformationStore,CN=ComputerName,CN=Servers,CN=first
administrative group,CN=Administrative Groups,CN=DomainName,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=DomainName,DC=local"
5) Please send the Dsacls.txt file to me.
I appreciate your time and cooperation. If anything is unclear, please feel
free to let me know. I am looking forward to hearing from you.
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "Jan" <jan@.n.o.com>
>References: <#5AjiMR$FHA.740@xxxxxxxxxxxxxxxxxxxx>
<2NUcCbu$FHA.552@xxxxxxxxxxxxxxxxxxxxx>
<#dtZ6Ov$FHA.3872@xxxxxxxxxxxxxxxxxxxx>
<WutJODw$FHA.552@xxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: "Send as" and SBS Domain Power User
>Date: Mon, 12 Dec 2005 23:36:37 +1100
>Lines: 381
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>Message-ID: <OuRVyix$FHA.3852@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: 58.6.37.186
>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:229508
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Nathan,
>
>as I said before, Domain Power Users group is not in any security tab in
>exchange.
>Since Domain Power Users are members of Mail Operators group, I checked
>security settings of Mail Operators. There is no specific allow or deny
>against "send as" for Mail Operators.
>
>I don't want to start messing around with security settings on production
>servers. I will try to adjust Mail Operators group "send as" to deny on
our
>test server tomorrow.
>
>Regards,
>--
>Jan Wakulicz
>www.micropol.com.au
>
>""Nathan Liu [MSFT]"" <v-natliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
>news:WutJODw$FHA.552@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hi Jan,
>>
>> Thanks for your quick update.
>>
>> Considering the current condition, since this issue occurs if we add a
>> user
>> to Domain Power Users group, let's perform the following steps to
>> double-check these settings:
>>
>> 1. Open the Exchange System Manager, go to Servers -> ServerName ->
First
>> Storage Group, right-click "Mailbox Store" and select Properties, click
>> Security tab, locate "Domain Power Users" entry and uncheck "Send As"
>> permission or check the Deny "Send As" check box, then click Apply and
>> click OK.
>>
>> I appreciate your time and cooperation. If anything is unclear, please
>> feel
>> free to let me know. I am looking forward to hearing from you.
>>
>> Best regards,
>>
>> Nathan Liu (MSFT)
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
>> the
>> "Notify me of replies" box to receive e-mail notifications when there are
>> any updates in your thread. When responding to posts via your newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
>> doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
>>
>> --------------------
>>>From: "Jan" <jan@.n.o.com>
>>>References: <#5AjiMR$FHA.740@xxxxxxxxxxxxxxxxxxxx>
>> <2NUcCbu$FHA.552@xxxxxxxxxxxxxxxxxxxxx>
>>>Subject: Re: "Send as" and SBS Domain Power User
>>>Date: Mon, 12 Dec 2005 19:11:55 +1100
>>>Lines: 252
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>>X-RFC2646: Format=Flowed; Original
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>>Message-ID: <#dtZ6Ov$FHA.3872@xxxxxxxxxxxxxxxxxxxx>
>>>Newsgroups: microsoft.public.windows.server.sbs
>>>NNTP-Posting-Host: 58.6.37.186
>>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>>>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:229464
>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>
>>>Hi Nathan,
>>>
>>>information you have provided describes expected behaviour. I have no
>>>problem with that and fully understand how to set up delegates and level
>> of
>>>privileges they have.
>>>
>>>Now, I need to clarify where I see the problem.
>>>1. I create NEW SBS user using standard user template.
>>>2. This NEW user is NOT a delegate for any of the mailboxes on exchange.
>>>3. At this stage NEW user cannot send on behalf or send as any other
user.
>>>4. As soon as I add NEW user to Domain Power Users group, NEW user can
>> send
>>>email from any mail box. Receiver of this email doesn't see "on behalf
>> of".
>>>Email looks like it came from user XXX or YYY or Administrator.
>>>This is why I said that Domain Power Users seemed to have "send as"
rights
>>>to all mailboxes in SBS 2003 domain. Yet, this "send as" permission is
not
>>>visible anywhere in security properties of exchange objects.
>>>I have tested this behaviour on three different SBS 2003 sites. I will
try
>>>on few more in days to come as time allows.
>>>
>>>I hope, this time I made my description clearer.
>>>
>>>Cheers,
>>>--
>>>Jan Wakulicz
>>>www.micropol.com.au
>>>
>>>
>>>""Nathan Liu [MSFT]"" <v-natliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>>news:2NUcCbu$FHA.552@xxxxxxxxxxxxxxxxxxxxxxxx
>>>> Hello Jan,
>>>>
>>>> Thank you for posting in the SBS newsgroup.
>>>>
>>>> First of all, my sincerest apologies for the delay in responding due to
>>>> weekend, thanks for the understanding.
>>>>
>>>> Please kindly note the partner managed newsgroups are staffed weekdays
>>>> by
>>>> Microsoft Support professionals. Our goal is to provide a one business
>> day
>>>> response to all posts.
>>>>
>>>> For time critical issues (not business down), we encourage you to
>>>> contact
>>>> CSS directly for more immediate assistance:
>>>> International Support (non-US/Canada):
>>>> http://support.microsoft.com/common/international.aspx
>>>>
>>>> US and Canada:
>>>> http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone
>>>>
>>>> To continue working with me in the newsgroups, please see the
following:
>>>>
>>>> According to your description, I understand that you would like to
>>>> figure
>>>> out why email "Send on behalf" was appearing as sent by delegating
user.
>>>> If
>>>> I have misunderstood the problem, please don't hesitate to let me know.
>>>>
>>>> I. As you mentioned, these email "Send on behalf" was appearing as
>>>> sent
>>>> by delegating user, please kindly refer to the following information to
>>>> double-check if the delegating user has "Send on behalf" permissions:
>>>>
>>>> Grant "Send on behalf" permissions
>>>> =====================
>>>> If you grant a user "Send on behalf" permissions for another user's
>>>> mailbox, that user can send mail on behalf of the mailbox owner. The
>>>> name
>>>> in the From box of these messages appears as From: DelegateUser on
>>>> behalf
>>>> of MailboxOwner
>>>> where DelegateUser is the name of the user to whom you granted "Send on
>>>> behalf" permissions and where MailboxOwner is the name of the user who
>>>> owns
>>>> the mailbox. There are two ways to grant a user "Send on behalf"
>>>> permissions.
>>>>
>>>> To grant a user "Send on behalf" permissions for another user's mailbox
>> on
>>>> the server, follow these steps:
>>>> 1. Click Start, point to Programs, point to Administrative Tools, and
>> then
>>>> click Active Directory Users and Computers.
>>>> 2. In the console tree, click Users.
>>>> 3. In the right pane, right-click the mailbox of MailboxOwner, and then
>>>> click Properties.
>>>> 4. Click the Exchange General tab, and then click Delivery Options.
>>>> 5. Under Send on behalf, click Add.
>>>> 6. Type the name of the DelegateUser, click Check Names to verify the
>>>> name, and then click OK.
>>>> 7. Click OK, and then click OK.
>>>> 8. Quit Active Directory Users and Computers.
>>>> To grant a user "Send on behalf" permissions for another user¡¯s
mailbox
>>>> on
>>>> the client, follow these steps.
>>>>
>>>> In Microsoft Outlook 98 and in Microsoft Outlook 2000, follow these
>> steps:
>>>> 1. Start Outlook.
>>>> 2. On the Tools menu, click Options.
>>>> 3. Click the Delegates tab, and then click Add.
>>>> 4. Select a user from the global address list, click Add, and then
click
>>>> OK.
>>>> 5. In the permission list for Inbox, click Reviewer.
>>>>
>>>> Note This requires a minimum of Reviewer permissions. However, you can
>>>> give
>>>> a higher level of permissions if you want.
>>>> 6. Click OK two times.
>>>> In Microsoft Outlook 2002 and in Microsoft Office Outlook 2003, follow
>>>> these steps:
>>>> 1. Start Outlook.
>>>> 2. On the Tools menu, click Options.
>>>> 3. Click the Delegates tab, and click Add.
>>>> 4. Select a user from the global address list, click Add, and then
click
>>>> OK.
>>>> 5. In the permission lists for Calendar and Tasks, click None.
>>>> 6. Click OK two times.
>>>> For example, if you grant UserB "Send on behalf" permissions to UserA's
>>>> mailbox, UserB can send messages on behalf of UserA. The From box in
>> these
>>>> messages appears as follows:
>>>> From: UserB on behalf of UserA
>>>>
>>>>
>>>> II. >> It is not clear to me why, but in SBS2003 domain, users that
>>>> belong
>>>> to Domain Power Users group automatically get "Send as" rights on all
>>>> mailboxes!
>>>>
>>>> Please kindly note Domain Admins group doesn¡¯t have "Send as"
>> permissions
>>>> on all mailboxes, these are denied by default, so the Domain Power
Users
>>>> group also hasn't "Send as" rights on all mailboxes by default. Please
>>>> kindly refer to the following information to double-check these
>>>> settings:
>>>>
>>>> Grant "Send as" permissions
>>>>
>>>> If you grant a user "Send as" permissions for another user's mailbox,
>>>> the
>>>> DelegateUser can send mail as the MailboxOwner. The From box in these
>>>> messages appears as follows:
>>>> From: MailboxOwner
>>>> To grant a user "Send as" permissions for another user's mailbox:
>>>> 1. On an Exchange computer, click Start, point to Programs, point to
>>>> Microsoft Exchange, and then click Active Directory Users and
Computers.
>>>> 2. On the View menu, click to select Advanced Features.
>>>> 3. Expand Users, right-click the MailboxOwner object where you want to
>>>> grant the permission, and then click Properties.
>>>> 4. Click the Security tab, and then click Advanced.
>>>> 5. In the Access Control Settings for MailboxOwner dialog box, click
>>>> Add.
>>>> 6. In the Select User, Computer, or Group dialog box, click the user
>>>> account or the group that you want to grant "Send as" permissions to,
>>>> and
>>>> then click OK.
>>>> 7. In the Permission Entry for MailboxOwner dialog box, click This
>>>> Object
>>>> Only in the Apply onto list.
>>>> 8. In the Permissions list, locate Send As, and then click to select
the
>>>> Allow check box.
>>>> 9. Click OK three times to close the dialog boxes.
>>>> For example, if you grant UserB "Send as" permissions for UserA's
>> mailbox,
>>>> UserB can send messages that appear to be sent from UserA. The From box
>> in
>>>> these messages appears as follows:
>>>> From: UserA
>>>> Note If you grant a user both "Send as" and ¡°Send on behalf of¡±
>>>> permissions, the "Send as" permission overrides the "Send on behalf of"
>>>> permission.
>>>>
>>>>
>>>> To get additional detailed information, you may refer to the following
>>>> KB
>>>> article:
>>>>
>>>> 327000 How to grant "Send as" and "Send on behalf" permissions in
>> Exchange
>>>> 2000 Server
>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;327000
>>>>
>>>> I appreciate your time and cooperation. If anything is unclear, please
>>>> feel
>>>> free to let me know. I am looking forward to hearing from you.
>>>>
>>>> Best regards,
>>>>
>>>> Nathan Liu (MSFT)
>>>> Microsoft CSS Online Newsgroup Support
>>>>
>>>> Get Secure! - www.microsoft.com/security
>>>> ======================================================
>>>> This newsgroup only focuses on SBS technical issues. If you have issues
>>>> regarding other Microsoft products, you'd better post in the
>> corresponding
>>>> newsgroups so that they can be resolved in an efficient and timely
>> manner.
>>>> You can locate the newsgroup here:
>>>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>>>
>>>> When opening a new thread via the web interface, we recommend you check
>>>> the
>>>> "Notify me of replies" box to receive e-mail notifications when there
>>>> are
>>>> any updates in your thread. When responding to posts via your
>>>> newsreader,
>>>> please "Reply to Group" so that others may learn and benefit from your
>>>> issue.
>>>>
>>>> Microsoft engineers can only focus on one issue per thread. Although we
>>>> provide other information for your reference, we recommend you post
>>>> different incidents in different threads to keep the thread clean. In
>>>> doing
>>>> so, it will ensure your issues are resolved in a timely manner.
>>>>
>>>> For urgent issues, you may want to contact Microsoft CSS directly.
>>>> Please
>>>> check http://support.microsoft.com for regional support phone numbers.
>>>>
>>>> Any input or comments in this thread are highly appreciated.
>>>> ======================================================
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>>
>>>>
>>>>
>>>> --------------------
>>>>>From: "Jan" <jan@.n.o.com>
>>>>>Subject: "Send as" and SBS Domain Power User
>>>>>Date: Sat, 10 Dec 2005 09:51:44 +1100
>>>>>Lines: 24
>>>>>X-Priority: 3
>>>>>X-MSMail-Priority: Normal
>>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>>>>>X-RFC2646: Format=Flowed; Original
>>>>>Message-ID: <#5AjiMR$FHA.740@xxxxxxxxxxxxxxxxxxxx>
>>>>>Newsgroups: microsoft.public.windows.server.sbs
>>>>>NNTP-Posting-Host: 58.6.37.186
>>>>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>>>>>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:229165
>>>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>>>
>>>>>Recently we spent couple of hours trying to figure out why email "Send
>>>>>on
>>>>>behalf" was appearing as sent by delegating user.
>>>>>We traced it down to the fact that user was a member of Domain Power
>> Users
>>>>>group.
>>>>>
>>>>>It is not clear to me why, but in SBS2003 domain, users that belong to
>>>>>Domain Power Users group automagically get "Send as" rights on all
>>>>>mailboxes!
>>>>>On top of that this right (send as) is NOT visible in any of security
>>>>>properties on exchange. By default not even Enterprise Admins have
"send
>>>> as"
>>>>>permissions on exchange.
>>>>>I have tested above on three different SBS2003 installations.
>>>>>At this stage we don't know if other privileges get elevated beyond
>>>> expected
>>>>>for Domain Power User.
>>>>>Until we get clear picture why this is happening, I will avoid putting
>>>> users
>>>>>into this specific group.
>>>>>
>>>>>Anyone care to comment?
>>>>>
>>>>>--
>>>>>Jan Wakulicz
>>>>>www.micropol.com.au
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>
>
>
>
.
- Follow-Ups:
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- References:
- "Send as" and SBS Domain Power User
- From: Jan
- RE: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: Jan
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: Jan
- "Send as" and SBS Domain Power User
- Prev by Date: RE: BrSplService stops directly after starting this service
- Next by Date: Re: Problem connecting 1st time XP Pro client to SBS 2003 server
- Previous by thread: Re: "Send as" and SBS Domain Power User
- Next by thread: Re: "Send as" and SBS Domain Power User
- Index(es):
Relevant Pages
|
