Full access permission on a mailbox not doing what it should?

According to microsoft the follwoing is true...

From Technet - "In Exchange 2007, users who are granted the Full Mailbox Access permission to a mailbox do not have Send As permission. Instead, the users have Send on Behalf Of permission for the mailbox owner. In this scenario, the users must be explicitly granted the Send As permission to send e-mail messages as the mailbox owner."

I have just spent half the morning trying to figure out why, when the above is apparently correct can a user who has full permission cannot "Send on behalf of".

I understand that "Send as" is a different thing as it impersonates the mailbox, but "Send on behalf of" (which is hidden in a seperate tab by the way) should be included in the full access permission, it seems it is however not, even though they say it is, have i misinterprited sommething here?

I have just finished the MCTS 70-236 training book and have just started on the new 2009 Sybex book and there was none of this mentioned.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

undomiel

You may wish to give a read over this: Understanding Mailbox Permissions: Exchange 2007 Help

Send as or send on behalf are granted separately from full access.

Chivalry1

In order for the user to have "Send on Behalf rights" you must configure in a different location within the EMC. Full access just gives user full access to the mailbox.

finkle636

Thanks guys, having not used exchange before (hence the books and the exam) i have now come to realize this to be true despite the technet site saying otherwise.

It was a bit frustrating in my opinion as they put 2 object permissions on display in the EMC on full display (Full Control, Send As), hide one in a sub menu of a tab(Send on behalf of), and the other you cant change unless you use powershell or ADUC and enable advanced features (Recieve As), thats a bit poor in my opinion. Its like setting NTFS permissions on a security tab of a folder, but only giving you half of them and putting the rest in the help menu in Calculator. Oh and one that you must change manually in the registry for good measure.

blargoe

I was thinking Full Control and Receive as were functionally equivalent?

finkle636

blargoe wrote: »

I was thinking Full Control and Receive as were functionally equivalent?

At this point, i have no idea, as on this link it lists the 2 as being seperate permissions.

Understanding Mailbox Permissions: Exchange 2007 Help

blargoe

I had to go back to check... receive-as is a permission that is applied to the mailbox store, but not individual mailboxes. If someone has receive as on a store, they will have FullAccess on all mailboxes contained within.

How to Allow Mailbox Access: Exchange 2007 Help

Delegate Full-Mailbox Access

royal

Just a little tip...

You can actually do Receive-As on an individual AD user which isn't documented, but it works and I have done nit. You use the Add-AdPermission but you specify the DN of the user's AD account.

blargoe

Yo royal,

Was there a reason why you did it that way... grins and giggles? Is there really a difference between that and just doing FullAccess on the user?

b

royal

Not really. Client asked if he could use the add-adpermission for a specific user so we tried it on a DN for a user account and it worked. Was merely to satisfy our curiosity.