Anteckning
Åtkomst till den här sidan kräver auktorisering. Du kan prova att logga in eller ändra kataloger.
Åtkomst till den här sidan kräver auktorisering. Du kan prova att ändra kataloger.
Exchange 2010 can only add "Send As" permissions to mail-enabled public folders for which the Owner of the AD object corresponding to the PF is an Exchange 2010 server. For Example In a environment with many Exchange 2010 servers, If a "Public Folder" is created using Exchange 2010 server PF console on E2010 server MB01 (in Our Example), it is possible to grant "Send-As" permissions on the Public Folder from the same console. However, if the 2010 Public Folder console is run from another E2010 server, granting Send As permissions fails with following error .
Add-ADPermission pF01 -User user01 -ExtendedRights send-as
Active Directory operation failed on DC01.Corp.M16.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : B3EE6A10,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
When Public folder is created From a specific Server, Only the specific Exchange 2010 PF server will have the permissions to modify the "Send-As" Rights, As that server is the Owner of the Ad Object that corresponds to mail-enabled Public folder. When run the Add-ADPermission cmdlet to manage 'Send-As' permission on public folder from the Other Exchange 2010 server Other than where PF was created, Exchange will be access denied to modify the permissions on mail-enabled PF Object In MESO.
- Additionally you can verify AD Permissions using DSACLS , ADPermission or windows PowerShell.
When manage "Send-as" request is sent using Exchange Management shell or GUI , Scope are verified and validated before presenting the credentials of the user for modification ,
"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '(!((Exists(ConfigurationUnit))))'"
"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '<null>'"
"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '(!((Exists(ConfigurationUnit))))'"
"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '<null>'"
"GetConnection","Returning connection to DC01.Corp.M16.com:389"
"ADSession::ExecuteModificationRequest using DC01.Corp.M16.com:389 - Sending ModifyRequest request for CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com"
"DirectoryException","Caught System.DirectoryServices.Protocols.DirectoryOperationException with 50(0x32), message=00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0"
This is generic ACCESS Denied Error.
Currently The Exchange Trusted Subsystem (ETS) is not granted sufficient rights to create a Manage "Send-As" permissions on Publicfolder Objects in MESO Container in AD. Currently ETS can only manage the Send-as Permissions for these objects.
== This is a problem when you have several public folder servers and many people are allowed to create public folders, and if you are managing "Send-as" permission on public folder objects in AD. because you cannot manage them from every server, other than where they are created.
There are couple workarounds to fix :
A : It is very manual method, If you use ADSIEdit to change the Owner of the PF object in AD to be Exchange 2010 server B or C or D , then you can grant Send As permissions from server B OR C or D. but not from server A anymore.
so not an easy fix.
B : Assign Permissions on MESO Container for ETS ( Exchange trusted Subsystem) to "Modify Permission" . [ Similar to /Preparead ]
Open ADSIEDIT =] Navigate to the properties of the MESO ( Microsoft Exchange System Objects) container -- Select "Security" tab ---> Select “advanced” Tab at the bottom " ---> In the Add Permissions window Select “add” button ---> Add “Exchange trusted subsystem”
And assign “Modify permissions” . Permission
Select “This object and all decedent objects"
== Now "Send-as" Permissions for Mail enabled public folders can be managed from any Exchange 2010 server in the Organization.
Manju
Comments
- Anonymous
June 04, 2014
Thanks - Anonymous
June 04, 2014
The article is very helpful and is very well written and explained with all the relevant screenshots... thanks Manju :) - Anonymous
June 12, 2014
Excellent! Giving the Exchange Trusted Subsystem the required permissions has solved the problem for me. - Anonymous
July 24, 2014
Thanks for writing this post, were scratching our heads as to why we had this problem. Good fix. - Anonymous
February 06, 2015
Thanks mate.. works like a charm! - Anonymous
July 15, 2015
You rock! Been fighting this for a looong time. - Anonymous
January 27, 2016
Thanks very much. Worked after Adding Modify permissions. Much appreciated. - Anonymous
March 23, 2016
Very helpful article, thank you very much!