Share via

Give a AD Group Send-As and Send on Behalf Permissions to a resource

  • Article

Question

Thursday, August 10, 2017 6:25 PM

I am able to give an AD group Full Access to a resource using this powershell command

Add-MailboxPermission -id ALIAS -User "Group Name" -AccessRights Fullaccess

but I am unable to give the same group Send-As permissions nor Send on Behalf permissions

I have also tried

Add-ADPermission ALIAS -User "Group Name" -ExtendedRights Send-As

Where ALIAS is the resource email alias but there is an error that the alias cannot be found. I know it is there becasue I used it to grant full access.

Jeremy Robertson Network Admin

All replies (17)

Thursday, August 10, 2017 6:42 PM

Hi.

Manage permissions for recipients

Add-ADPermissions -Identity <Distribution Group> -User <User\Security Group> -ExtendedRigths "Send As","Send on Behalf"

MCITP, MCSE. Regards, Oleg

Thursday, August 10, 2017 7:04 PM

I have tried this and it doesn't work, your typos aside ;-) says can't find the alias

Jeremy Robertson Network Admin

Thursday, August 10, 2017 7:19 PM

You can use display name from Distribution Group or email address.

Add-ADPermissions -id "Distribution Group"

Identity

Required

The Identity parameter specifies the identity of the object that's getting permissions added. You can specify either the distinguished name (DN) of the object or the object's name if it's unique. If the DN or name contains spaces, enclose the name in quotation marks (").

MCITP, MCSE. Regards, Oleg

Thursday, August 10, 2017 7:44 PM

try this

Get-DistributionGroup "Distribution Group Name" | Add-AdPermission –ExtendedRights Send-As –User "UserName" –AccessRights ExtendedRight

Thursday, August 10, 2017 8:08 PM

I was able to get this to work for the Send-As, How about the Send on behalf permissions?

How do I set them to a group?

Jeremy Robertson Network Admin

Thursday, August 10, 2017 8:31 PM

Get-DistributionGroup "Distribution Group Name" | Set-DistributionGroup -GrantSendonBehalfTo "User Name"

Friday, August 11, 2017 12:55 PM

It's not a distribution group it's a resource so when I use Get-DistributionGroup "Distribution Group Name" | Set-DistributionGroup -GrantSendonBehalfTo "User Name" I get an error that the resource name could not be found.

Jeremy Robertson Network Admin

Friday, August 11, 2017 1:44 PM

What exactly you mean by resource? is it a mailbox or security group (mail enabled)

Friday, August 11, 2017 1:51 PM

It's a resource, a conference room to be more accurate. The resource has an email address and a calendar.
I want to assign the Following access rights to the resource mailbox and calendar to a security group rather then listing each member of the group in each of the 3 sections Full access, Send As, and Send on behalf of. Why Microsoft didn't see it necessary to add security groups to these lists in the EMC is beyond me. I have figured out how to five full access to a mailbox but this doesn't give them all the access they need so with the help of this forum I have added the group to send as but still have not been able to add them to the send on behalf.

Not sure how to make this any more clear.

Jeremy Robertson Network Admin

Friday, August 11, 2017 2:33 PM

I checked my Exchange server as well as Outlook ( via delegate access)  to see if I can grant "Send on behalf" to a security group - Sorry unfortunately not possible.

Friday, August 11, 2017 4:22 PM

Hi hotrodjeremy,

Whether you want to allow group to send as user or user send as group? The commands Raj Nuthula posted is allowing user to send as group.

To allow group send as user, the Available delegate types for the group is security groups, not Distribution groups. We can use command or ADUC to grant the send as permission.

1. Use command: Add-AdPermission -Identity <resource mailbox name> -User <security group name> -AccessRights ExtendedRight -ExtendedRights "Send As"
2. Use ADUC, like this: 

To allow group send on behalf user, the Available delegate types for the group is security groups and Distribution groups, while we can’t use ADUC to realize it.

Use command: Set-Mailbox <resource mailbox name> -GrantSendonBehalfTo <group name>

Best Regards,

Manu Meng
TechNet Community Support

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

Friday, August 11, 2017 4:27 PM

When I use Set-Mailbox <resource mailbox name> -GrantSendonBehalfTo <group name>

I am getting the same Can't find the group name that I am using. I know it exists

Jeremy Robertson Network Admin

Friday, August 11, 2017 6:12 PM

Did you mail enable the security group?

Enable-DistributionGroup -Identity <security group name>

Best Regards,

Manu Meng
TechNet Community Support

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

Friday, August 11, 2017 6:37 PM

I guess I am confused by this because the group is an AD security Group not a distribution group.

Jeremy Robertson Network Admin

Friday, August 11, 2017 6:45 PM

Actually, if you mail enable the AD security Group, you convert it to a distribution group. Just run Enable-DistributionGroup to mail enable it.

Best Regards,

Manu Meng
TechNet Community Support

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

Thursday, November 8, 2018 10:48 AM

I'm trying to do the same thing:

"Give a AD Group Send-As and Send on Behalf Permissions to a shared mailbox."

I have 2 groups 

  1. A mail enablet, universal Distribution group
  2. A mail enablet, universal security group

And a shared mailbox.

I'm using this command:

Set-Mailbox <shared mailbox> -GrantSendOnBehalfTo @{add="<security/distribution group>"}
None of them works.
(If I use a single AD-user object, it works flawless)

The command run with no error, but a warning :

WARNING: The command completed successfully but no settings of 'MyDomain.net/Service Areas/MyOu/Exchange Objects/SharedMailboxes/MySharedMailbox' have been modified.

Nothing is added to the shared mailbox "sendonbehalf" list.

If I use this command:
Set-Mailbox <resource mailbox name> -GrantSendonBehalfTo <group name>
It simply delete the list "sendonbehalf" list, and nothing else.

I don't think it is possible to a AD-group to sendonbehalf-list, only single AD-user objects.

Please prove me wrong.

Bjarne Jensen

Thursday, November 8, 2018 1:50 PM

The way I do it is I assign the user to a DBL and the DBL Send On Behalf permissions

Get-Mailbox -id "Mail box name" | Set-Mailbox  -GrantSendOnBehalfTo "<Distrobution List>"

Jeremy Robertson Network Admin