Exchange 2016 - Problem adding users to Send As or Send on Behalf

Copper Contributor

I just took over as an exchange admin at a company and am trying to perform a relatively simple task.  All I need to do is to grant a user "Send As" and "Send on Behalf".  Simple huh?

 

The problem is when I go to that group and open the properties and select Group Delegation, and then click the plus to add a user to Send As I get 500 odd security groups, plus 2 or 3 end users.  And that is it.  And it's not that the end users are all alphabetically behind the groups so they aren't showing up, it's just that only a few users are in the list.

 

I've looked at those user's accounts to try to figure out why those show up in the list but not others, and can't see any reason.  They are just regular accounts.   The owner of the group doesn't even show up in the list so I can't even add that person.  I've tried copying and pasting the user's name and email address I want to add the Send As to, but that doesn't work either.

 

Am I missing something very obvious here?  Is there a setting somewhere that prohibits Send As by anything other than a Security group?  If there is then I really can't figure out why those 2 or 3 users show up in the list then.

 

Thanks in advance for any help.

 

Ted

 

15 Replies

The picker controls have limits, and search doesn't always work great there. Just add the permissions via PowerShell?

@Vasil Michev 

Sorry, no offense to you but I really hate that response.  MS codes a crappy interface, so now we are all expected to use the command line for what should be a VERY basic task.

 

One of my (many) issues with Powershell is that at this company they do that Red Forest(?) architecture.  For me to access the Exchange server I have to first RDP to a Jump Station.  From there I RDP to the App Tier Jump Station, (using a different ID/PW with VERY complex PW requirements) and do the 2FA.  From there I RDP to the Exchange Server.  All of these operate on a 10 minute time out so basically I have to redo this entire thing every time I need to do the simplest operation.

 

Or I can go to the EAC website in Chrome from my desktop, which bypasses all of that, and have Chrome auto remember my super complex PW for me.  Since none of the jump stations or exchange servers can access the internet with a web browser, by the time I have typed up this response my RDP sessions will have timed out and I'll have to redo the whole RDP thing again.  

 

UGH.  Why can't MS just do a semi decent job of programming the EAC???

 

Ted

 

I'm simply giving you a solution, if you think complaining on a site where no one from Microsoft actually looks is a better one, be my guest :)

Are you not able to use the search option to find the appropriate users?

@Dan Snape 

 

No, for some reason it comes back with nothing found.  In the list I have 545 items, (I bumped up the default from 5000 items returned to 1,000), all but 3 or 4 are security groups.  For the life of me I can't figure out why there are 3 or 4 users in that list and not any others.

 

 

@Ted123 Hi Ted,

 

Just a thought, but seeing as your environment is so secured (which is good), is it possible some of the AD permissions on certain OU's and/or accounts have been stripped, undoing what is done by the Exchange setup process (i.e. /PrepareAD, /PrepareDomain, etc.)?  The logic I am wondering about is that maybe the Exchange Trusted Subsystem group, or Exchange Servers (can't remember if this group is still a thing) have lost their permissions on some OU's due to, for example, permission inheritance being turned off on those OU's.

 

It could be worth just identifying a user or group that isn't showing up for you, then check that user's account and OU properties for the Security permissions assigned.  If you find permission inheritance is turned off, that could be the issue.  Re-enabling inheritance might not be allowed, so the solution in that case would be to manually reapply permissions that /PrepareAD would have set.  That would be painful, vs enabling inheritance.

 

 

@Ted123 are your users in a resource forest? Are the user accounts associated with mailboxes enabled or disabled in AD? 

 

The UI in Exchange and Skype (for that matter) often hide disabled accounts that aren't correctly set to resource accounts. 

 

If you are able to get to the ECP you would likely can connect to the Remote PowerShell endpoint so you can run the commands required without hitting a jump box first. 

 

I have the following script to pull a remote session (save as a .ps1) and replace [Exchange-FQDN] and [@contoso.local]

 

$account = read-host "What is the userid to use for EMS shell?: (e.g. adm_ntid) "
$accounttouse = $account + "[@contoso.local]"
$Cred = Get-Credential $accounttouse
$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://[ExchangeServer-FQDN]/PowerShell/ -Credential $Cred -Authentication Kerberos
Import-PSSession $ExSession

@KevinCallanan 

I have encountered this same issue

FIX : (check your config files in the Pickers dir)
I have a hybrid environment and found that   "RemoteUserMailbox" was missing in the string for searches in SendAsPicker.aspx and also SendOnBehalfOfPicker.aspx

\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\Pickers\

@lewischris123 Can you maybe show a sample of what you changed for this to work,

This answer is AMAZING. I don't know how you found this, but it saved me. Also in our case, once I updated the .aspx page, I ran into a permission error ("Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0").

The cause? "By default, Exchange Trusted Subsystem is not granted the "modify permissions" permission. This causes the Add-ADPermission cmdlet to fail with an Access Denied error in some circumstances." The answer was to modify the OU container holding the group(s) and allow "Exchange Trusted Subsystem" rights to modify the groups.

The steps are here:
https://support.microsoft.com/en-us/topic/access-denied-when-you-try-to-give-user-send-as-or-receive...

I hope this helps someone else out!

@Ditiaan 

 

Hi I don't know if you figure this out but I thought I would add the solution that the previous user mentioned.  Modify this line in the two files mentioned in @lewischris123 post

 

<ecp:StaticBinding Name="AllowedRecipients" TargetType="System.String" DefaultValue="UserMailbox,LinkedMailbox,LegacyMailbox,MailUser,MailUniversalDistributionGroup,MailUniversalSecurityGroup" />

 

add the RemoteUserMailbox to make the webui include these hybrid/remote users in it's search.

 

<ecp:StaticBinding Name="AllowedRecipients" TargetType="System.String" DefaultValue="UserMailbox,LinkedMailbox,LegacyMailbox,MailUser,MailUniversalDistributionGroup,MailUniversalSecurityGroup,RemoteUserMailbox" />

@thekmumm I'm on this site troubleshooting a completely different problem but this suggestion will solve a problem I've been fighting for weeks.... I registered for no other reason then to say thank you and if we ever meet IRL i owe you a beer!

I vaguely remember this issue an had been looking for something else and thought I'd hope in here and share. Glad it was helpful to you and the others that I see have found this useful.
Thank you so much! Fix still works for in December 2023!
Thank you for the additional details, made the fix much easier!