Re: "Send as" and SBS Domain Power User
- From: "Jan" <jan@.n.o.com>
- Date: Tue, 20 Dec 2005 20:42:42 +1100
Hi Nathan,
sorry for not getting back to you earlier.
To answer your questions.
1. yes, all service packs are installed
2. adding standard user to Account Operators group gives user rights to send
as
Regards,
--
Jan Wakulicz
www.micropol.com.au
""Nathan Liu [MSFT]"" <v-natliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:94h5E0VAGHA.1236@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Jan,
>
> Many thanks for your waiting. I appreciate your time and patience.
>
> I. I have checked these dsacls log files, and compare them with my
> testing
> machince, I didn't find any problem with them. And I have also tried to
> reproduce this specific issue, but I cannot reproduce it on my testing
> machine.
>
> II. Considering the current condition, it is aneffective and feasible way
> to check the "Deny" "Send As" permission check box for "Domain Power
> Users"
> via ESM. Meanwhile, we will continue to research and test this issue, then
> update the result to you. Thanks for your understanding.
>
> To deny "Send As" permission for "Domain Power Users" via ESM, open the
> Exchange System Manager on the SBS Server, expand Servers -> ServerName ->
> First Storage Group, right-click "Mailbox Store" and select Properties,
> click Security tab, click Add and input "Domain Power Users" then click
> OK,
> CHECK the "Deny" check box for "Send As" entry.
>
> III. Based on my research, we have a known issue about "Send As" and
> "Domain Power users" in SBS 2003 Server, however, the current issue is a
> reverse issue. You may also check it:
> Problem Description
>
> The 'Send As' permission granted for user A to 'send as' user B keeps
> disappearing.
>
> Explanation and Resolution
>
> I. If it's a SBS 2003
>
> The issue should be caused that the users are members of the 'Domain Power
> User' group, possibly that he has 'Power Users' template applied to the
> users. The 'Domain Power User' is a sub-group of 'SBS Remote Operators',
> and 'SBS Remote Operators' has the 'Deny Logon Locally' policy setting
> from
> 'Default Domain Controller' GPO. That will cause the ACL permission
> setting
> to be reverted.
>
> I would suggest any of the following:
>
> 1) Apply the 'Users' template to the existing power users using
> the
> Change User Permissions Wizard.
>
> 2) Remove 'SBS Remote Operators' from the 'Deny Logon Locally
> policy' settings, re-apply the 'Power Users' templates to the user
> accounts.
>
> The same cause will raise some other issues, for example '330876 Power
> Users are Unable to FTP on Microsoft Windows Small Business Server'.
>
> II. A normal Exchange server
>
> Basically, this issue is most likely caused that the problematic user is
> part of the groups listed below.
>
> Looking at Q319966 where depending on whether that group or the users are
> members of AdminSDHolder, those permissions can be reset every hour:
> 319966
> "You do not have sufficient permissions in the Domain" error message -
> http://support.microsoft.com/?id=319966.
>
> More Information can be found in the following KBs:
>
> ¡¤ 817433 Delegated permissions are not available and inheritance is
> automatically - http://support.microsoft.com/?id=817433\
>
> ¡¤ 318180 AdminSDHolder Thread Affects Transitive Members of
> Distribution Groups - http://support.microsoft.com/?id=318180
>
> Which basically states that if the user is a member of a Distribution
> group
> that is a member for any of the following groups the permissions is reset
> every hour:
>
> - Enterprise Admins
>
> - Schema Admins
>
> - Domain Admins
>
> - Administrators
>
> - Domain Controllers
>
> - Cert Publishers
>
> - Backup Operators
>
> - Replicator Server Operators
>
> - Account Operators
>
> - Print Operators
>
> IV. Did you install the SBS 2003 SP1 and Exchange 2003 SP2? If not,
> please
> kindly refer to the following information to install them, and then check
> if the issue can be reproduced.
>
> Installation Instructions for Service Pack 1 for Windows Small Business
> Server 2003, Standard Edition
> http://download.microsoft.com/download/2/e/9/2e902d14-da2e-43ba-8bd6-6d258f5
> 356b6/SP1Setup_std.htm
>
> Installation Instructions for Service Pack 1 for Windows Small Business
> Server 2003, Premium Technologies
> http://download.microsoft.com/download/2/e/9/2e902d14-da2e-43ba-8bd6-6d258f5
> 356b6/SP1Setup_prem.htm
>
> Microsoft Windows Small Business Server 2003 Service Pack 1 (SP1)
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B6F8A4C0-B707-4161-
> ADEB-44F1B756119F&displaylang=en
>
> Exchange Server 2003 Service Pack 2
> http://www.microsoft.com/downloads/details.aspx?FamilyId=535BEF85-3096-45F8-
> AA43-60F1F58B3C40&displaylang=en
>
> Microsoft Exchange Server 2003 Service Pack 2 Release Notes
> http://download.microsoft.com/download/f/b/5/fb5c54af-fe5c-48e9-be97-f9e8207
> 325ab/Ex_2003_SP2_RelNotes.htm
>
> V. Additionally, inorder to isolate this specific issue, let's perform
> the
> following testing to check the result:
>
> 1) Use "Add User Wizard" to create a new user, and apply "User
> Template",
> then add the user account into "Account Operators" group, then check if
> the
> issue can be reproduced.
>
> I appreciate your time and cooperation. Please do not hesitate to let me
> know if you have any further concerns, I am looking forward to hearing
> from
> you.
>
> Have a nice day!
>
> Best regards,
>
> Nathan Liu (MSFT)
> Microsoft CSS Online Newsgroup Support
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
.
- References:
- "Send as" and SBS Domain Power User
- From: Jan
- RE: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: Jan
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: Jan
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- Re: "Send as" and SBS Domain Power User
- From: "Nathan Liu [MSFT]"
- "Send as" and SBS Domain Power User
- Prev by Date: RE: Error in calendar entries
- Next by Date: Re: fax
- Previous by thread: Re: "Send as" and SBS Domain Power User
- Next by thread: Re: SBS2003 Svr Install problem on Trial DVD Technet Plus kit.
- Index(es):
Relevant Pages
|
