Hello,

Logged in as a user that is a member of Exchange Organization Administrators
as Well as the Exchange Public Folder Administrators I receive the following
error when attempting to add Send As permissions to a user. In a default
exchange installation shouldn't it be possible to grant these rights as a
member of the Exchange Organiztion Administrators?

Thanks

Bill

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00


MyDomain\mytestuser
Failed

Error:
Active Directory operation failed on mydomain.com This error is not
retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0




The user has insufficient access rights.

Exchange Management Shell command attempted:
Add-ADPermission -Identity 'CN=myPublicFolder,CN=Microsoft Exchange System
Objects,DC=mydomain,DC=com' -User 'MYDOMAIN\mytestuser' -ExtendedRights
'Send-as'

Elapsed Time: 00:00:00

On Mon, 7 Jul 2008 16:31:42 -0400, "William Holmes"
<wtholmes> wrote:

>Logged in as a user that is a member of Exchange Organization Administrators
>as Well as the Exchange Public Folder Administrators I receive the following
>error when attempting to add Send As permissions to a user. In a default
>exchange installation shouldn't it be possible to grant these rights as a
>member of the Exchange Organiztion Administrators?

That depends on the AD object you're trying to modify. Blocked
inheritence, membership in a prvileged group (like Domain Admins),
etc. trump the inherited rights your user may have on the objects.

Hello,

I am aware of these issues. To clarify this is what I am asking.

If I install a new active directory forest followed by Exchange, create a
non-privileged user and then add that user to the Exchange Organization
Administrators. Will this user be able to add send-As privileges to to user,
group, and public folder objects in the Exchange Organization? I am asking
this question in context of a default configuration.

Thanks

Bill



"Rich Matheisen [MVP]" <richnews> wrote in message
news:fu7r
[..]

On Tue, 8 Jul 2008 11:09:57 -0400, "William Holmes"
<wtholmes> wrote:

>I am aware of these issues. To clarify this is what I am asking.
>
>If I install a new active directory forest followed by Exchange, create a
>non-privileged user and then add that user to the Exchange Organization
>Administrators. Will this user be able to add send-As privileges to to user,
>group, and public folder objects in the Exchange Organization? I am asking
>this question in context of a default configuration.

That's pretty much the same as your original post -- with a few
qualifications. The answer is still the same. What you have permission
to modify depends on the rights you have on the AD object.

If you're dealing with an AD User object and inheritence on the object
isn't blocked you'll usually have permission to modify the AD User.

Is it safe to assume that this new forest has only one domain, or that
the AD object you're trying to modify is in a domain that's be prepped
for use by Exchange?

The error you're getting says that your user lacks the necesssary
permission. That permission should be inherited. I'm not sure that
Exchange admins have permissions to modify the property the "Send-As"
permission.