The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server (907434)


The information in this article applies to:

  • Microsoft Exchange Server 5.5
  • Microsoft Exchange 2000 Server
  • Microsoft Exchange 2000 Enterprise Server
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange Server 2003 Enterprise Edition

SYMPTOMS

You explicitly configure the Send As right on a user object in the Active Directory Users and Computers snap-in in Microsoft Exchange Server. However, the Send As right is removed from the user object about one hour after you configure the Send As right.

Additionally, other changes that you made to the security descriptor on the user object may be removed. For example, the Allow inheritable permissions from parent to propagate to his object check box may no longer be selected.

If you have an environment that includes Microsoft Exchange Server 5.5 and a functioning Active Directory Connector (ADC), Exchange Server 5.5 mailboxes that are configured to use Active Directory user accounts that are members of protected groups may appear as "CUSTOM" in the Exchange Server 5.5 Administrator program.

CAUSE

The Active Directory directory service has a process that makes sure that members of protected groups do not have their security descriptors manipulated. If a security descriptor for a user account that is a member of a protected group does not match the security descriptor on the AdminSDHolder object, the user's security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object.

The Send As right is delegated by modifying the security descriptor of a user object. Therefore, if the user is a member of a protected group, the change is overwritten in about one hour.

Note You also experience this issue if you have delegated a role to a user in Exchange. For example, you experience this problem if a user account has one of the following roles assigned:
  • Exchange View Only Administrator
  • Exchange Administrator
  • Exchange Full Administrator

RESOLUTION

We recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you require the rights that are afforded to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group and one user account that is used for e-mail purposes and at all other times.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about how to delegate "Send As" rights to a user account, click the following article number to view the article in the Microsoft Knowledge Base:

281208 How to grant a user "Send As" rights in Exchange Server 5.5 and Exchange 2000

For more information about the AdminSDHolder object, click the following article numbers to view the articles in the Microsoft Knowledge Base:

232199 Description and update of the Active Directory AdminSDHolder object

817433 Delegated permissions are not available and inheritance is automatically disabled

The location of the AdminSDHolder object is as follows:

CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com

Note Replace DC=MyDomain,DC=Com in this path with the distinguished name of your domain.

The following list contains the protected groups in Windows 2000:
  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Administrators
The following list contains the protected groups in Microsoft Windows Server 2003 and in Windows 2000 after you apply hotfix 327825 or after you install Windows 2000 Service Pack 4 (SP4):
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Admins
  • Schema Admins
  • Enterprise Admins
  • Cert Publishers
Additionally, the following users are considered protected:
  • Administrator
  • Krbtgt
Additionally, user accounts or groups that have been delegated the following roles in Exchange are considered protected:
  • Exchange View Only Administrator
  • Exchange Administrator
  • Exchange Full Administrator
For more information about hotfix 327825, click the following article number to view the article in the Microsoft Knowledge Base:

327825 New resolution for problems that occur when users belong to many groups

Modification Type:MajorLast Reviewed:10/9/2006
Keywords:kbexchDIRECTORY kbtshoot kbprb KB907434 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.