Full access permission on a mailbox not doing what it should?

finkle636finkle636 Member Posts: 44 ■■□□□□□□□□
According to microsoft the follwoing is true...

From Technet - "In Exchange 2007, users who are granted the Full Mailbox Access permission to a mailbox do not have Send As permission. Instead, the users have Send on Behalf Of permission for the mailbox owner. In this scenario, the users must be explicitly granted the Send As permission to send e-mail messages as the mailbox owner."

I have just spent half the morning trying to figure out why, when the above is apparently correct can a user who has full permission cannot "Send on behalf of".

I understand that "Send as" is a different thing as it impersonates the mailbox, but "Send on behalf of" (which is hidden in a seperate tab by the way) should be included in the full access permission, it seems it is however not, even though they say it is, have i misinterprited sommething here?

I have just finished the MCTS 70-236 training book and have just started on the new 2009 Sybex book and there was none of this mentioned.

Comments

  • undomielundomiel Member Posts: 2,818
    You may wish to give a read over this: Understanding Mailbox Permissions: Exchange 2007 Help

    Send as or send on behalf are granted separately from full access.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • Chivalry1Chivalry1 Member Posts: 569
    In order for the user to have "Send on Behalf rights" you must configure in a different location within the EMC. Full access just gives user full access to the mailbox.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • finkle636finkle636 Member Posts: 44 ■■□□□□□□□□
    Thanks guys, having not used exchange before (hence the books and the exam) i have now come to realize this to be true despite the technet site saying otherwise.

    It was a bit frustrating in my opinion as they put 2 object permissions on display in the EMC on full display (Full Control, Send As), hide one in a sub menu of a tab(Send on behalf of), and the other you cant change unless you use powershell or ADUC and enable advanced features (Recieve As), thats a bit poor in my opinion. Its like setting NTFS permissions on a security tab of a folder, but only giving you half of them and putting the rest in the help menu in Calculator. Oh and one that you must change manually in the registry for good measure. icon_lol.gif
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    I was thinking Full Control and Receive as were functionally equivalent?
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • finkle636finkle636 Member Posts: 44 ■■□□□□□□□□
    blargoe wrote: »
    I was thinking Full Control and Receive as were functionally equivalent?

    At this point, i have no idea, as on this link it lists the 2 as being seperate permissions.

    Understanding Mailbox Permissions: Exchange 2007 Help
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    I had to go back to check... receive-as is a permission that is applied to the mailbox store, but not individual mailboxes. If someone has receive as on a store, they will have FullAccess on all mailboxes contained within.

    How to Allow Mailbox Access: Exchange 2007 Help

    Delegate Full-Mailbox Access
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Just a little tip...

    You can actually do Receive-As on an individual AD user which isn't documented, but it works and I have done nit. You use the Add-AdPermission but you specify the DN of the user's AD account.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Yo royal,

    Was there a reason why you did it that way... grins and giggles? Is there really a difference between that and just doing FullAccess on the user?

    b
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Not really. Client asked if he could use the add-adpermission for a specific user so we tried it on a DN for a user account and it worked. Was merely to satisfy our curiosity.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
Sign In or Register to comment.