In Exchange 2010 environments, administrators often encounter the frustrating "Access is denied" error when attempting to assign Send As permissions through PowerShell. The specific error message:
Active Directory operation failed on DC.OurDomain.pri.
This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The error indicates insufficient rights to modify Active Directory permissions. This can occur when:
- The executing account lacks proper delegation
- There are inheritance issues in AD
- Exchange permissions aren't properly synchronized
Many admins report that manually set permissions through ADUC disappear after approximately 10 minutes. This typically indicates:
- Permission conflicts between Exchange and AD
- SID filtering issues
- Active Directory replication problems
Here are proven methods to resolve this:
Method 1: Using Exchange Management Shell with Elevated Rights
# First verify your current permissions
Get-RoleGroupMember "Organization Management"
# Then run with explicit credentials
$cred = Get-Credential
Add-ADPermission -Identity "User1" -User "Ourdomain\User2" -ExtendedRights "Send As" -Credential $cred
Method 2: Direct ADSI Edit Approach
# Connect to the user object directly
$userDN = (Get-Mailbox "User1").DistinguishedName
$de = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$userDN")
# Create the ACE
$adRight = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
(New-Object System.Security.Principal.NTAccount("Ourdomain\User2")),
$adRight,
[System.Security.AccessControl.AccessControlType]::Allow,
[Guid]("ab721a54-1e2f-11d0-9819-00aa0040529b") # Send As GUID
)
# Commit the change
$de.ObjectSecurity.AddAccessRule($ace)
$de.CommitChanges()
To stop permissions from disappearing:
- Disable inheritance on the user object
- Ensure no conflicting permissions exist
- Check for any automated cleanup scripts
Use this to monitor permission persistence:
function Test-SendAsPermission {
param(
[string]$Mailbox,
[string]$Delegate
)
$startTime = Get-Date
$output = @()
do {
$hasPermission = (Get-ADPermission $Mailbox |
Where-Object {
$_.User -like "*$Delegate*" -and
$_.ExtendedRights -like "*Send*"
}).Count -gt 0
$status = @{
Time = (Get-Date).ToString("HH:mm:ss")
HasPermission = $hasPermission
}
$output += New-Object PSObject -Property $status
Start-Sleep -Seconds 60
} while ((New-TimeSpan -Start $startTime -End (Get-Date)).TotalHours -lt 24)
return $output
}
- Check event logs on all DCs for replication errors
- Verify the account running the command has "Write DACL" rights
- Test with different domain controllers
- Enable AD diagnostic logging
When attempting to grant Send-As permissions in Exchange 2010 using PowerShell, administrators often encounter the following error:
Add-ADPermission "User1" -User "Ourdomain\\User2" -Extendedrights "Send As"
This typically returns:
Active Directory operation failed on DC.OurDomain.pri. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : EDBB94A3,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
The "INSUFF_ACCESS_RIGHTS" error typically indicates one of these issues:
- The account executing the command lacks sufficient privileges
- AD replication issues are preventing permission application
- Permission inheritance is being blocked on the target object
- The Exchange management tools aren't being run with elevated privileges
Method 1: Using Exchange Management Shell with Proper Rights
First, ensure you're running the shell with an account that has:
Add-RoleGroupMember "Organization Management" -Member YourAdminAccount
Add-RoleGroupMember "Recipient Management" -Member YourAdminAccount
Then try this alternative syntax:
Get-Mailbox "User1" | Add-AdPermission -User "Ourdomain\User2" -AccessRights ExtendedRight -ExtendedRights "Send As" -InheritanceType All
Method 2: Direct ADSI Edit Approach
For persistent permission issues, use ADSI Edit:
# Connect to the configuration partition
$de = [ADSI]"LDAP://CN=User1,OU=Users,DC=OurDomain,DC=pri"
$ntAccount = New-Object System.Security.Principal.NTAccount("OurDomain\User2")
$sid = $ntAccount.Translate([System.Security.Principal.SecurityIdentifier])
$adRight = [System.DirectoryServices.ActiveDirectoryRights]"ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$guid = [guid]("ab721a54-1e2f-11d0-9819-00aa0040529b") # Send-As GUID
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,$adRight,$type,$guid)
$de.psbase.ObjectSecurity.AddAccessRule($ace)
$de.psbase.CommitChanges()
If permissions disappear after some time, check AD replication:
repadmin /showrepl
repadmin /syncall /AdeP
Also verify AD object protection status:
Get-ADObject -Identity "CN=User1,OU=Users,DC=OurDomain,DC=pri" -Properties ntSecurityDescriptor | Select-Object @{Name='Protected';Expression={$_.ntSecurityDescriptor.AreAccessRulesProtected}}
If standard methods fail, consider these options:
Using EMC GUI:
- Open Exchange Management Console
- Navigate to Recipient Configuration > Mailbox
- Right-click target mailbox > Properties
- Mailbox Flow tab > Delivery Options > Security tab
Using EMS with impersonation:
New-ManagementRoleAssignment -Name "AllowSendAs" -SecurityGroup "OurDomain\User2" -Role "Mailbox Import Export"
To confirm Send-As permissions were applied:
Get-ADPermission "User1" | Where-Object {$_.ExtendedRights -like "*Send*"} | Format-List User,ExtendedRights
Or test functionality directly:
Send-MailMessage -From "User1@domain.com" -To "test@domain.com" -Subject "Test" -Body "Test" -SmtpServer "yourSMTPserver" -Credential (Get-Credential "User2")