Posted on

Listing SendAs and SendOnBehalf Permissions

By Ace Fekay
Published 3/20/2018

Intro

Ace here again.

There are a number of tools that you can use in your day to day AD and Exchange management. This includes Office 365 Hybrid, but we’ll assume that you are performing one way sync to the cloud, and only replicating MSOL attributes back to on premises, so you can manage them locally, for the most part.

This is about getting SendAs and SendOnBehalf rights on a mailbox

SendAs

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox = Ace.Fekay@MSOLUser.com
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-Host “///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\”
Write-Host “*****************************************************************”
Write-host “The following is a list of who has SendAs permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-recipient $_.User).Displayname}}, extendedRights -AutoSize
$MailboxCount = @(Get-recipient $Mailbox | Get-ADPermission  | where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)}).count
Write-Host “Total number of users that can SendAs on contact ‘$MailboxDisplayName’ is” $MailboxCount
Write-Host “*****************************************************************”

Write-Host “\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////”
Write-Host “*****************************************************************”

SendOnBehalf

(Watch word-wrap)

Write-Host “*****************************************************************”
$Mailbox = Ace.Fekay@MSOLUser.com
$MailboxDisplayName = (get-recipient $Mailbox).displayName
Write-host “The following is a list of who has SendOnBehalf permissions for ‘$MailboxDisplayName’ :”
Write-Host “*****************************************************************”
# – property not found – $sendonbehalfList = (get-recipient $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
$sendonbehalfList = (get-mailbox $Mailbox | select -ExpandProperty GrantsendOnBehalfto | foreach { Get-Mailbox $_ | select displayname, name})
#Get-recipient $Mailbox | Get-ADPermission | where {($_.ExtendedRights -like “Grant*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | FT user, @{name=”User’s DisplayName”;expression={(Get-User $_.User).Displayname}}, extendedRights -AutoSize
Write-Host “And the list of who have SendOnBehalf on ‘$MailboxDisplayName’ is:” $SendonBehalfList  
Write-Host “*****************************************************************”

Example output:

*****************************************************************
///////////////////////////////—-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
*****************************************************************
The following is a list of who has SendAs permissions for ‘Fekay, Ace’ :
*****************************************************************
User            User’s DisplayName                           ExtendedRights
—-            ——————                                          ————–
Contoso\AFekay-Admin Fekay, Ace (Admin Only) {Send-As}    

Total number of users that can SendAs on contact ‘Fekay, Ace’ is 1
*****************************************************************
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\—-///////////////////////////////
*****************************************************************

Summary

I hope this helps!

Published 3/20/2018

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2012|R2, 2008|R2, Exchange 2013|2010EA|2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

As many know, I work with Active Directory, Exchange server, and Office 365 engineer/architect, and an MVP in Active Directory and Identity Management, and I’m an MCT as well. I try to strive to perform my job with the best of my ability and efficiency, even when presented with a challenge, and then help others with my findings in case a similar issue arises to help ease their jobs. Share the knowledge, is what I’ve always learned.

I’ve found there are many qualified and very informative websites that provide how-to blogs, and I’m glad they exists and give due credit to the pros that put them together. In some cases when I must research an issue, I just needed something or specific that I couldn’t find or had to piece together from more than one site, such as a simple one-liner or a simple multiline script to perform day to day stuff.

I hope you’ve found this blog post helpful, along with my future scripts blog posts, especially with AD, Exchange, and Office 365.

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs (I may be moving the following site): http://www.delawarecountycomputerconsulting.com/technicalblogs.php

Or just search within my blogs:
https://blogs.msmvps.com/acefekay/

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Posted on

Reanimate an Exchange Server Deleted From the Exchange Organization in the Configuration Container in Active Directory

By Ace Fekay
MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer & Janitor

Background:

Hey everyone, Ace here again. Here’s an interesting issue I came across when an administrator, while using ADSI Edit, deleted one of their Exchange 2010 servers from the Exchange Organization in AD’s Configuration Container. Of course, it was not intentional, so I didn’t even ask why or how, but I was told that they were working on something else in ADSI Edit, and the administrator unintentionally deleted the Exchange server object. And as we all know, there is no “Undelete” button in ADSI Edit.

Before I went about trying to perform an Authoritative Restore with AD, I figured I would try to use the AD Recycle Bin to recover the object. However, I knew it wouldn’t be there, because it was never deleted from ADUC Computer Container, rather it was deleted from the Exchange Organization. But I did it just to show how to do it, and to illustrate the differences in the object’s locations and significance.

What I did was is re-animated the deleted server using ADSI Edit. I used a lab machine to test it before attempted to try it on their production system.

 

Before I performed a test delete in my lab

Here are the three Exchange Servers, Van-EX1, Van-EX2, and Van-EX3, showing in the ADUC’s Computers Container:

 

Here’s VAN-EX3 in ADSI Edit and its attributes. This is what it’s supposed to look like.

 

Looking further into the server object attributes in ADUC Advanced View, Attribute Editor, it shows the server’s ObjectSID:

 

Delete VAN-EX3

Here’s where I deleted VAN-EX3 in ADSI Edit:

 

The delete warning message:

 

And the second delete warning message. Apparently ADSI Edit, the tool that doesn’t have an Undelete” button, wants to make sure that you want to delete it. I think it’s good that it asks twice:

 

VAN-EX3 has now been deleted from the Exchange Organization section in the Configuration Container:

 

However, as you an see in ADUC, it still shows VAN-EX3. That’s because we didn’t delete it from AD, rather it was deleted from the Configuration Container.

 

As you can see here, Exchange’s services still show that they’re still running.

 

Trying to find the deleted object in the Recycle Bin using LDP

Here’s where I looked for the Exchange object in the Recycle Bin using LDP. However, since the Exchange computer object still exists in AD, rather it was deleted from the Organization. I knew it won’t be in the Recycle Bin, because it wasn’t really deleted from AD.

These steps were more to show everyone the differences between a deleted computer object, that would show up here, and an Exchange server deleted from the Organization.

 

Click Connection, then Bind:

 

We’re binding using default values, meaning it will use the currently logged on domain administrator account.

 

In LDP, click Options, then Controls:

 

In the Load Predefined drop-down box, I chose to “Return Deleted Objects:”

 

As you can see, Return Deleted Objects chosen in the drop-down box:

Under Tree View, for the base DN, I typed in cn=deleted objects,dc=adatum,dc-com. As you can see, nothing showed up. So VAN-EX3 is not in the Recycle Bin.

 

Recreating VAN-EX3 in the Exchange Organization in the Configuration Container

I drilled down into the Exchange Organization in the Configuration Container, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Servers. Then I right-clicked CN=Servers, New, Object.

By the way, not to get off topic, but if you’re wondering how the Exchange team came up with that Administrative Group name, “(FYDIBOHF23SPDLT),” click here.

 

Once the server object has been created, now we need to create the necessary Exchange server object containers under the server object we created. What helps is that the attributes are still in AD:

 

For “Select a Class” dialog box, scroll down and select msExchServersContainer

 

For the Value field, type in VAN-EX3:

 

Click Finish:

 

Now we must create the Exchange Information Store container. Right-click, New, choose Object:

 

In the Select a Class dialog box, choose msExchInformationStore:

 

Type “Information Store” in the Value field:

 

Click Finish:

 

The values appear correct so far. If you double-click on the CN=Information Store object, scroll down, you can see the DN value is correct (sorry, I didn’t screenshot that part):

 

Now let’s create the MTA. Same deal as above, in the Select a Class dialog box, right-click, New, scroll down and choose mTA:

 

Type in Microsoft MTA:

 

To get the time out and other values it’s asking, I opened another instance of ADSI Edit, and looked at the values for one of the other existing Exchange Servers:

 

The transRetryMins value of 5 that I populated, which I found from the other Exchange server:

 

The last attribute, which of course is the server’s name:

 

Now we must create the Microsoft System Attendant object for VAN-EX3 by right-clicking Van-Ex3, new, choose Object, and in the Select a Class dialog box, scroll down and select exchangeAdminService:

 

For the CN value, type in Microsoft System Attendant:

 

Scroll down in the Attribute Editor to deliveryMechanism, set it to 0 (zero):

 

Click Finish:

 

Now test logging on with a mailbox that exists in VAN-EX3, and try to send and receive an email. You should find that it works perfectly.

 

Point of the story: Be careful what you do in ADSI Edit.

Suggestions, Comments, Corrections are welcomed.

Ace Fekay