ralfk/zettelkasten
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c4fb9fc531
zettelkasten/OneNoteExport/Technik/Powershell/Exchange 2010/15_Publicfolder Send As Berechtigungen.md
Ralf Koop c4fb9fc531 Initial commit
2023-08-17 19:32:37 +02:00

6.4 KiB
Raw Blame History

Publicfolder Send As Berechtigungen

Donnerstag, 1. Dezember 2016

16:45

 

Publicfolder Send As Berechtigungen setzen nicht möglich. Ich hatte das Problem das ich auf einem PF die Send As Berechtigungen nicht setzen konnte. Das lag daran das der andere Exchange Server Owner des Folders war. In diesem Link wird beschrieben wie man dies anpassen kann.

 

https://blogs.technet.microsoft.com/manjubn/2014/06/04/exchange-2010-manage-send-as-permission-only-works-on-the-mailbox-server-where-public-folder-was-created/

 

Exchange 2010: Manage "Send-As" Permission only Works on the Mailbox Server Where "Public Folder" was Created.

★★★★★

★★★★

★★★

★★

https://secure.gravatar.com/avatar/41f285aecd97c4721ee987425b247798?s=22&d=mm&r=g{width="0.22916666666666666in" height="0.22916666666666666in"}

Manju-MSFTJune 4, 20148

 

Exchange 2010 can only add "Send As" permissions to mail-enabled public folders for which the Owner of the AD object corresponding to the PF is an Exchange 2010 server. For Example In a environment  with many Exchange 2010 servers, If a "Public Folder" is created using Exchange 2010 server PF console on E2010 server MB01 (in Our Example), it is possible to grant "Send-As" permissions on the Public Folder from the same console. However, if the 2010 Public Folder console is run from another E2010 server, granting Send As permissions fails with following error .

[Add-ADPermission pF01 -User user01 -ExtendedRights send-as]{.mark}

Active Directory operation failed on DC01.Corp.M16.com. This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

 + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException

 + FullyQualifiedErrorId : B3EE6A10,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

 

When Public folder is created From a specific Server, Only the specific Exchange 2010 PF server will have the permissions to modify the "Send-As" Rights, As that server is the Owner of the Ad Object that corresponds to mail-enabled Public folder. When run the Add-ADPermission cmdlet to manage 'Send-As' permission on public folder from the Other Exchange 2010 server Other than where PF was created, Exchange will be access denied to modify the permissions on mail-enabled PF Object In MESO.

C:\\C7A2EAC5\\B890AF23-8A9D-4A00-8867-93199D1B8D95-Dateien\\image002.jpg{width="3.8645833333333335in" height="2.2395833333333335in"}

-- Additionally you can verify AD Permissions using DSACLS , ADPermission or windows PowerShell.

When manage "Send-as" request is sent using Exchange Management shell or GUI , Scope are verified and validated before presenting the credentials of the user for modification ,

"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '(!((Exists(ConfigurationUnit))))'"

"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '<null>'"

"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '(!((Exists(ConfigurationUnit))))'"

"ADSession::IsWithinScope 'CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com' is within scope. ScopeRoot '<null>', ScopeFilter '<null>'"

"GetConnection","Returning connection to DC01.Corp.M16.com:389"

"ADSession::ExecuteModificationRequest using DC01.Corp.M16.com:389 -- Sending ModifyRequest request for CN=PF01,CN=Microsoft Exchange System Objects,DC=Corp,DC=M16,DC=com"

"DirectoryException","Caught System.DirectoryServices.Protocols.DirectoryOperationException with 50(0x32), message=00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0" 

 This is generic ACCESS Denied Error.  

Currently The Exchange Trusted Subsystem (ETS) is not granted sufficient rights to create a Manage "Send-As" permissions on Publicfolder Objects in MESO Container in AD. Currently ETS can only manage the Send-as Permissions for these objects.

== This is a problem when you have several public folder servers and many people are allowed to create public folders, and if you are managing "Send-as" permission on public folder objects in AD. because you cannot manage them from every server, other than where they are created.

 

There are couple workarounds to fix :

A : It is very manual method, If you use ADSIEdit to change the Owner of the PF object in AD to be Exchange 2010 server B or C or D , then you can grant Send As permissions from server B OR C or D. but not from server A anymore.

so not an easy fix.

B : Assign Permissions on MESO Container for ETS ( Exchange trusted Subsystem) to "Modify Permission" . [ Similar to /Preparead ]

Open ADSIEDIT =] Navigate to the properties of the MESO ( Microsoft Exchange System Objects) container --- Select "Security"  tab ---> Select "advanced" Tab at the bottom " ---> In the Add Permissions window Select  "add" button ---> Add "Exchange trusted subsystem"

And assign "Modify permissions". Permission

Select "This object and all decedent objects"

C:\\C7A2EAC5\\B890AF23-8A9D-4A00-8867-93199D1B8D95-Dateien\\image003.jpg{width="6.604166666666667in" height="5.333333333333333in"}

**    **

C:\\C7A2EAC5\\B890AF23-8A9D-4A00-8867-93199D1B8D95-Dateien\\image004.jpg{width="7.072916666666667in" height="5.59375in"}

==  Now "Send-as" Permissions for Mail enabled public folders can be managed from any Exchange 2010 server in the Organization.