Getting Started with Exchange 2010 Relay Connectors
So, you have server-side applications that are internal to your environment and require a mechanism...
Theresa Miller
Exchange 2010 Public Folders allow your administrators the ability to grant specific users the ability to send mail on behalf of a mail-enabled public folder.
Before we look at the Manage Send As issue, let’s take a look at how an Exchange or Security administrator would adjust the mail-enabled Public Folder Send As Permissions.
How to Manage the Public Folder Send As Permissions
- Open the Exchange Management Console
- Click the + to the left of Microsoft Exchange On-Premises
- Click the Tool Box
- Double-click Public folder Management Console
- Select the public folder that you would like to adjust the Send As Permissions on
- On the right-hand side of the screen choose Manage Send As Permission
- If all goes well then the wizard screen shown below would be completed without any errors, but in this case we were not so lucky. After adding a new user or group to the public folder Manage Send As we received the following error on our screen:
Issue
The following error appears when adding a user to be able to Manage Send As despite the fact that you are the Super Duper Exchange Administrator for your environment. Even your service account will return the same error.
Error:
Active Directory operation failed on domaincontroller.domain.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.158.1&t=exchgf1&e=ms.exch.err.Ex6AE46B
Exchange Management Shell command attempted:
Add-ADPermission -Identity 'CN=PublicFolderName,CN=Microsoft Exchange System Objects,DC=domain,DC=com’ -User 'domain\userid' -ExtendedRights 'Send As'
Under what circumstances will this error occur?
Basically, there are two scenarios that will generate this error. One is that the Owner set on the public folder is not correct. If your environment has been upgraded from previous versions of Exchange you may see an object GUID listed as shown below instead of an Exchange server name.
The second scenario in which you will receive this error is when the owner is set to one of the Exchange servers in your environment, but you attempt to manage the Send As permissions from a different server in your production environment. Both of these situations will generate the above error on a mail-enabled public folder.
How to check the Public Folder Ownership settings
Before we can adjust the Ownership, we need to know how to find out how the ownership is set. We will learn if the owner is incorrectly set with a GUID or an Exchange Server Name that is different than the server you are managing your public folder permissions. For this will need ADSIEDIT downloaded and installed on your workstation and will need access to Active Directory Users and computers.
Note: If you do not have ADSIEDIT installed here is an article that can help you get started installing ADSIEDIT.
- Open ADSIEDIT
- Connect to the “Default Naming Context” for your domain
- Expand DC=domain,DC=com,CN=Microsoft Exchange System Objects
- Find your Mail-Enabled Public Folder, then right-click and choose properties
- Click the Security Tab and then click the Advanced button
- Click the Owner Tab
- Then click the Other Users or Groups Button
Resolution Option 1 – Mail Disable/Mail Enable the public folder
This is only a good option and is best suited for an organization that plans to always manage public folders from the same server all the time. This method will apply the name of the Exchange server that was being used to mail disable/mail enable the public folder you are working with. While this resets the owner of the public folder, it will specifically be set to that individual server. If management will occur across multiple Exchange servers then the permissions error will resurface. Here are the steps to mail-disable and mail-enable your public folder.
- Open the Exchange Management Console
- Click the + to the left of Microsoft Exchange On-Premises
- Click the Tool Box
- Double-click Public folder Management Console
- Select the public folder that you would like to Mail Disable and then on the right-hand side of the screen choose Mail Disable
- Click Yes
- Mail Enable the public folder by clicking on Mail Enable
Resolution Option 2 – Use ADSIEDIT to set the Folder Ownership to Exchange Servers
Earlier in this article we talked about how to use ADSIEDIT to check what the current folder owner is. You will only use resolution option 2 if your organization manages public folders from multiple exchange servers. Here are the steps to set the current owner to Exchange servers:
- Open ADSIEDIT
- Connect to the “Default Naming Context” on your domain
- Expand DC=domain,DC=com,CN=Microsoft Exchange System Objects
- Find your Mail-Enabled Public Folder, then right-click and choose properties
- Click the Security Tab and then click the Advanced button
- Click the Owner Tab
- Then click the Other Users or Groups Button
- Browse and select Exchange Servers and click OK
- Click the Apply Button and Click OK
Summary
As discussed in the article above, if you have upgraded from previous versions of Exchange you may have issues managing the Send As permissions on your mail-enabled public folders. This article should provide you with the insight to resolve this issue as it applies to your environment.
Get proactive with Exchange Management – Trial the Mailscape Monitoring & Reporting Dashboard.
