Re: "Send as" and SBS Domain Power User

Hi Jan,

Many thanks for your waiting. I appreciate your time and patience.

I. I have checked these dsacls log files, and compare them with my testing
machince, I didn't find any problem with them. And I have also tried to
reproduce this specific issue, but I cannot reproduce it on my testing
machine.

II. Considering the current condition, it is aneffective and feasible way
to check the "Deny" "Send As" permission check box for "Domain Power Users"
via ESM. Meanwhile, we will continue to research and test this issue, then
update the result to you. Thanks for your understanding.

To deny "Send As" permission for "Domain Power Users" via ESM, open the
Exchange System Manager on the SBS Server, expand Servers -> ServerName ->
First Storage Group, right-click "Mailbox Store" and select Properties,
click Security tab, click Add and input "Domain Power Users" then click OK,
CHECK the "Deny" check box for "Send As" entry.

III. Based on my research, we have a known issue about "Send As" and
"Domain Power users" in SBS 2003 Server, however, the current issue is a
reverse issue. You may also check it:
Problem Description

The 'Send As' permission granted for user A to 'send as' user B keeps
disappearing.

Explanation and Resolution

I. If it's a SBS 2003

The issue should be caused that the users are members of the 'Domain Power
User' group, possibly that he has 'Power Users' template applied to the
users. The 'Domain Power User' is a sub-group of 'SBS Remote Operators',
and 'SBS Remote Operators' has the 'Deny Logon Locally' policy setting from
'Default Domain Controller' GPO. That will cause the ACL permission setting
to be reverted.

I would suggest any of the following:

1) Apply the 'Users' template to the existing power users using the
Change User Permissions Wizard.

2) Remove 'SBS Remote Operators' from the 'Deny Logon Locally
policy' settings, re-apply the 'Power Users' templates to the user accounts.

The same cause will raise some other issues, for example '330876 Power
Users are Unable to FTP on Microsoft Windows Small Business Server'.

II. A normal Exchange server

Basically, this issue is most likely caused that the problematic user is
part of the groups listed below.

Looking at Q319966 where depending on whether that group or the users are
members of AdminSDHolder, those permissions can be reset every hour: 319966
"You do not have sufficient permissions in the Domain" error message -
http://support.microsoft.com/?id=319966.

More Information can be found in the following KBs:

¡¤ 817433 Delegated permissions are not available and inheritance is
automatically - http://support.microsoft.com/?id=817433\

¡¤ 318180 AdminSDHolder Thread Affects Transitive Members of
Distribution Groups - http://support.microsoft.com/?id=318180

Which basically states that if the user is a member of a Distribution group
that is a member for any of the following groups the permissions is reset
every hour:

- Enterprise Admins

- Schema Admins

- Domain Admins

- Administrators

- Domain Controllers

- Cert Publishers

- Backup Operators

- Replicator Server Operators

- Account Operators

- Print Operators

IV. Did you install the SBS 2003 SP1 and Exchange 2003 SP2? If not, please
kindly refer to the following information to install them, and then check
if the issue can be reproduced.

Installation Instructions for Service Pack 1 for Windows Small Business
Server 2003, Standard Edition
http://download.microsoft.com/download/2/e/9/2e902d14-da2e-43ba-8bd6-6d258f5
356b6/SP1Setup_std.htm

Installation Instructions for Service Pack 1 for Windows Small Business
Server 2003, Premium Technologies
http://download.microsoft.com/download/2/e/9/2e902d14-da2e-43ba-8bd6-6d258f5
356b6/SP1Setup_prem.htm

Microsoft Windows Small Business Server 2003 Service Pack 1 (SP1)
http://www.microsoft.com/downloads/details.aspx?FamilyId=B6F8A4C0-B707-4161-
ADEB-44F1B756119F&displaylang=en

Exchange Server 2003 Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyId=535BEF85-3096-45F8-
AA43-60F1F58B3C40&displaylang=en

Microsoft Exchange Server 2003 Service Pack 2 Release Notes
http://download.microsoft.com/download/f/b/5/fb5c54af-fe5c-48e9-be97-f9e8207
325ab/Ex_2003_SP2_RelNotes.htm

V. Additionally, inorder to isolate this specific issue, let's perform the
following testing to check the result:

1) Use "Add User Wizard" to create a new user, and apply "User Template",
then add the user account into "Account Operators" group, then check if the
issue can be reproduced.

I appreciate your time and cooperation. Please do not hesitate to let me
know if you have any further concerns, I am looking forward to hearing from
you.

Have a nice day!

Best regards,

Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: Sharepoint Security - Help!!!!!
    ... When they did the migration from one server to another it went from Standard ... differnt sharepoint document libraries that we have in our internal company ... permissions as to who could look in them. ... "power users" when I deleted them from being a member of this sercurity group ...
    (microsoft.public.windows.server.sbs)
  • Re: Sharepoint Security - Help!!!!!
    ... When they did the migration from one server to another it went from Standard ... differnt sharepoint document libraries that we have in our internal company ... permissions as to who could look in them. ... "power users" when I deleted them from being a member of this sercurity group ...
    (microsoft.public.windows.server.sbs)
  • RE: Client Permissions
    ... I read Mark's response regarding the server permissions with shared folders ... for the client to log onto the work station rather than to the server. ... For power users, ...
    (microsoft.public.windows.server.sbs)
  • Re: Client Permissions
    ... Adding the users to the Domain Power users group by default will only the ... will not grant the users any additional file permissions. ... management which should show all the Network shared Folders on your SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: write with cURL
    ... execute permissions. ... of potential security risks from other users on the same server. ... I made this suggestion because their web host appears to run Apache ... risk to allow Apache's group write access, since all PHP scripts ran ...
    (alt.php)
Loading