Re: "Send as" and SBS Domain Power User
- From: v-natliu@xxxxxxxxxxxxxxxxxxxx ("Nathan Liu [MSFT]")
- Date: Fri, 16 Dec 2005 09:45:12 GMT
Hi Jan,
This is a supplemental email.
Based on my testing, I have reproduced this issue.
Reproduce steps:
A. Use "Add User Wizard" and "User Template" to create a normal Domain
User
B. Use "Add User Wizard" and "Power User Template" to create a Domain
Power User
C. Open ADU&C, and click View -> Advanced Features, we can find the
"Account Operators" has "Full Control" permission for the normal Domain user
D. We can "Send as" the normal domain user by using the domain power user
account.
Note: "Domain Power Users" is a member of "Account Operators", "Mail
Operators" and other security groups.
Based on above information, "Account Operators" Built-in Security Group has
"Send As" permission for "Domain Users" by default. Because the power users
belong to the Account Operator security group which has been applied the
¡°Send As¡± Permission.
To workaround this issue, please remove ¡°Send As¡± permission for power
user.
Method 1:
You can remove the power user from the Account Operator group or deny the
¡°Send As¡± permission for Account Operator group. However we do not
recommend you to do that, it will impact the Account operator group
permission and it will also impact other permission of power user that
inherited from the Account operator group.
Method 2:
You can deny the ¡°Send As¡± permission for one of power user or for the
whole power user group.
To deny user "Send as" permissions for power user:
On an Exchange computer, click Start, point to Programs, point to Microsoft
Exchange, and then click Active Directory Users and Computers.
On the View menu, click to select Advanced Features.
Expand Users, right-click the User object where you want to deny the ¡°Send
As¡± permission, and then click Properties.
In the Select User, Computer, or Group dialog box, click the user account
or the group that you want to deny "Send as" permissions to, and then click
OK.
More info:
327000 HOW TO: Grant "Send As" and "Send on Behalf" Permissions in Exchange
http://support.microsoft.com/?id=327000
I appreciate your time and cooperation. Please do not hesitate to let me
know if you have any further concerns, I am looking forward to hearing from
you
Have a nice weekend!
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>X-Tomcat-ID: 190502595
>References: <#5AjiMR$FHA.740@xxxxxxxxxxxxxxxxxxxx>
<2NUcCbu$FHA.552@xxxxxxxxxxxxxxxxxxxxx>
<#dtZ6Ov$FHA.3872@xxxxxxxxxxxxxxxxxxxx>
<WutJODw$FHA.552@xxxxxxxxxxxxxxxxxxxxx>
<OuRVyix$FHA.3852@xxxxxxxxxxxxxxxxxxxx>
<sXikdi7$FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
<4NszCCKAGHA.3764@xxxxxxxxxxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>From: v-natliu@xxxxxxxxxxxxxxxxxxxx ("Nathan Liu [MSFT]")
>Organization: Microsoft
>Date: Thu, 15 Dec 2005 09:50:43 GMT
>Subject: Re: "Send as" and SBS Domain Power User
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>Message-ID: <94h5E0VAGHA.1236@xxxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>Lines: 160
>Path: TK2MSFTNGXA02.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:230366
>NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
>
>Hi Jan,
>
>Many thanks for your waiting. I appreciate your time and patience.
>
>I. I have checked these dsacls log files, and compare them with my
testing
>machince, I didn't find any problem with them. And I have also tried to
>reproduce this specific issue, but I cannot reproduce it on my testing
>machine.
>
>II. Considering the current condition, it is aneffective and feasible way
>to check the "Deny" "Send As" permission check box for "Domain Power
Users"
>via ESM. Meanwhile, we will continue to research and test this issue, then
>update the result to you. Thanks for your understanding.
>
>To deny "Send As" permission for "Domain Power Users" via ESM, open the
>Exchange System Manager on the SBS Server, expand Servers -> ServerName ->
>First Storage Group, right-click "Mailbox Store" and select Properties,
>click Security tab, click Add and input "Domain Power Users" then click
OK,
>CHECK the "Deny" check box for "Send As" entry.
>
>III. Based on my research, we have a known issue about "Send As" and
>"Domain Power users" in SBS 2003 Server, however, the current issue is a
>reverse issue. You may also check it:
>Problem Description
>
>The 'Send As' permission granted for user A to 'send as' user B keeps
>disappearing.
>
>Explanation and Resolution
>
>I. If it's a SBS 2003
>
>The issue should be caused that the users are members of the 'Domain Power
>User' group, possibly that he has 'Power Users' template applied to the
>users. The 'Domain Power User' is a sub-group of 'SBS Remote Operators',
>and 'SBS Remote Operators' has the 'Deny Logon Locally' policy setting
from
>'Default Domain Controller' GPO. That will cause the ACL permission
setting
>to be reverted.
>
>I would suggest any of the following:
>
>1) Apply the 'Users' template to the existing power users using
the
>Change User Permissions Wizard.
>
>2) Remove 'SBS Remote Operators' from the 'Deny Logon Locally
>policy' settings, re-apply the 'Power Users' templates to the user
accounts.
>
>The same cause will raise some other issues, for example '330876 Power
>Users are Unable to FTP on Microsoft Windows Small Business Server'.
>
>II. A normal Exchange server
>
>Basically, this issue is most likely caused that the problematic user is
>part of the groups listed below.
>
>Looking at Q319966 where depending on whether that group or the users are
>members of AdminSDHolder, those permissions can be reset every hour:
319966
>"You do not have sufficient permissions in the Domain" error message -
>http://support.microsoft.com/?id=319966.
>
>More Information can be found in the following KBs:
>
>¡¤ 817433 Delegated permissions are not available and inheritance is
>automatically - http://support.microsoft.com/?id=817433\
>
>¡¤ 318180 AdminSDHolder Thread Affects Transitive Members of
>Distribution Groups - http://support.microsoft.com/?id=318180
>
>Which basically states that if the user is a member of a Distribution
group
>that is a member for any of the following groups the permissions is reset
>every hour:
>
>- Enterprise Admins
>
>- Schema Admins
>
>- Domain Admins
>
>- Administrators
>
>- Domain Controllers
>
>- Cert Publishers
>
>- Backup Operators
>
>- Replicator Server Operators
>
>- Account Operators
>
>- Print Operators
>
>IV. Did you install the SBS 2003 SP1 and Exchange 2003 SP2? If not,
please
>kindly refer to the following information to install them, and then check
>if the issue can be reproduced.
>
>Installation Instructions for Service Pack 1 for Windows Small Business
>Server 2003, Standard Edition
>http://download.microsoft.com/download/2/e/9/2e902d14-da2e-43ba-8bd6-6d258f
5
>356b6/SP1Setup_std.htm
>
>Installation Instructions for Service Pack 1 for Windows Small Business
>Server 2003, Premium Technologies
>http://download.microsoft.com/download/2/e/9/2e902d14-da2e-43ba-8bd6-6d258f
5
>356b6/SP1Setup_prem.htm
>
>Microsoft Windows Small Business Server 2003 Service Pack 1 (SP1)
>http://www.microsoft.com/downloads/details.aspx?FamilyId=B6F8A4C0-B707-4161
-
>ADEB-44F1B756119F&displaylang=en
>
>Exchange Server 2003 Service Pack 2
>http://www.microsoft.com/downloads/details.aspx?FamilyId=535BEF85-3096-45F8
-
>AA43-60F1F58B3C40&displaylang=en
>
>Microsoft Exchange Server 2003 Service Pack 2 Release Notes
>http://download.microsoft.com/download/f/b/5/fb5c54af-fe5c-48e9-be97-f9e820
7
>325ab/Ex_2003_SP2_RelNotes.htm
>
>V. Additionally, inorder to isolate this specific issue, let's perform
the
>following testing to check the result:
>
>1) Use "Add User Wizard" to create a new user, and apply "User
Template",
>then add the user account into "Account Operators" group, then check if
the
>issue can be reproduced.
>
>I appreciate your time and cooperation. Please do not hesitate to let me
>know if you have any further concerns, I am looking forward to hearing
from
>you.
>
>Have a nice day!
>
>Best regards,
>
>Nathan Liu (MSFT)
>Microsoft CSS Online Newsgroup Support
>Get Secure! - www.microsoft.com/security
>======================================================
>This newsgroup only focuses on SBS technical issues. If you have issues
>regarding other Microsoft products, you'd better post in the corresponding
>newsgroups so that they can be resolved in an efficient and timely manner.
>You can locate the newsgroup here:
>http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
>When opening a new thread via the web interface, we recommend you check
the
>"Notify me of replies" box to receive e-mail notifications when there are
>any updates in your thread. When responding to posts via your newsreader,
>please "Reply to Group" so that others may learn and benefit from your
>issue.
>
>Microsoft engineers can only focus on one issue per thread. Although we
>provide other information for your reference, we recommend you post
>different incidents in different threads to keep the thread clean. In
doing
>so, it will ensure your issues are resolved in a timely manner.
>
>For urgent issues, you may want to contact Microsoft CSS directly. Please
>check http://support.microsoft.com for regional support phone numbers.
>
>Any input or comments in this thread are highly appreciated.
>======================================================
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
.
- Follow-Ups:
- Re: "Send as" and SBS Domain Power User
- From: Jan
- Re: "Send as" and SBS Domain Power User
- References:
- "Send as" and SBS Domain Power User
- From: Jan
- RE: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: Jan
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: Jan
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- "Send as" and SBS Domain Power User
- Prev by Date: RE: DNS
- Next by Date: Re: SBS FAX SERVICES BUG WHEN RUNNING EXCHANGE 2003
- Previous by thread: Re: "Send as" and SBS Domain Power User
- Next by thread: Re: "Send as" and SBS Domain Power User
- Index(es):
Relevant Pages
|
