"Send As" permission fails with users in second domain on same server

I have several users setup on an Exchange 2010 SP3 server with domain "domain1.com". "Send As" and full Permission access works fine and flawless between those users who need it. 
Now I have added a second authorative Domain (domain2.com) on that server and set up a few users. Those domain2 users can send/receive email in domain2.com without problems.
I wanted to give certain users in domain1 "Send As" and Full Access permissions on a domain2 user mailbox. Full Access works, but sending a message won't work. The error that comes back is the same as if "Send As" permissions was not
assigned to that user. But I explicitly assign this permission. 
Is this a known issue and there is a fix for it? Or is this simply not possible?
Thanks
Dan

First, you should not use both Send As and
“Send on behalf of” pick one or other. Another thing, if you are using
Send As, find the user in
Active Directory Users and
Computers right click the user and select properties, Click
Security
Tab then presses the
Advance button.
In there you should see the User listed under there with Send As permissions. If you do not see this that’s the main reason why you cannot “Send As”. Send As is an AD
ACL not Exchange. If you have set this in the EMC and it has not replicated or updated the ACL’s in Active Directory then you might have a delay/latency or a replication issue with Active Directory.   
Hi Swetha,
Thanks for your reply.
I am only using "Send As" and not "Send on behalf". 
The Send-as permissions are visible in the AD for that user.
Dan

Similar Messages

  • CLUVFY failing with 'User Equivalence check failed for...'

    New 2 node RAC configuration. Oracle 10gR2, Linux RHEL 5 x64. I'm at the post hardware config, pre install clusterware stage.
    Running the cluster verification utility command:
    cluvfy comp sys -n node-01,node-02 -p crs -verboseReturns the following error:
    Verifying system requirement
    ERROR:
    User equivalence unavailable on all the nodes.
    Verification cannot proceed.
    Verification of system requirement was unsuccessful on all the nodes.I've verified the following:
    1) RSA keys correctly configured on both nodes and I can ssh between without a password
    2) ping ip and private work correctly to and from both nodes.
    3) user, group ids are identical on both systems.
    I also ran cluvfy stage -post hwos -n node-01,node-02 -verbose and received the following output. This output is from node-01. node-02's is identical, except with equivalence to itself failing.
    Checking node reachability...
    Check: Node reachability from node "node-01"
      Destination Node                      Reachable?
      node-02                       yes
      node-01                       yes
    Result: Node reachability check passed from node "node-01".
    Checking user equivalence...
    Check: User equivalence for user "oracle"
      Node Name                             Comment
      node-02                       passed
      node-01                       failed
    Result: User equivalence check failed for user "oracle".
    WARNING:
    User equivalence is not set for nodes:
            node-01
    Verification will proceed with nodes:
            node-02
    Checking node connectivity...I get the same behavior on both nodes. Not quite sure what else to check. Any thoughts or suggestions? Thanks.

    No, no banners. And I followed note 300548.1 to the letter. Several times :-)
    However, I believe my issue has to do with a CVUHOME/cv/admin/cvu_config.
    According to the documentation:
    CV_XCHK_FOR_SSH_ENABLED—If set to TRUE, it enables the X-Windows check for verifying user equivalence with ssh. By default, this entry is commented out and X-Windows check is disabledIt was not, unfortunately, disabled by default - once I set it to false, everything succeeded. I still need to figure out why XCHK itself is failing, but I think I can troll through the log to figure that out.

  • Event Log The request failed with HTTP status 401: Unauthorized. workstation to server fetch some reports

    The request failed with HTTP status 401: Unauthorized.
       at Microsoft.SqlServer.ReportingServices2005.Execution.RSExecutionConnection.GetSecureMethods()
       at Microsoft.SqlServer.ReportingServices2005.Execution.RSExecutionConnection.IsSecureMethod(String methodname)
       at Microsoft.SqlServer.ReportingServices2005.Execution.RSExecutionConnection.LoadReport(String Report, String HistoryID)
       at Microsoft.Reporting.WinForms.ServerReport.GetExecutionInfo()
       at Microsoft.Reporting.WinForms.ServerReport.SetParameters(IEnumerable`1 parameters)
       at Accounting.Reports.UI.FormReportPreview.LoadReport()
       at Accounting.UI.FormBase.PreLoadReportComponents()
    Please help me with this can't figure out, don't know how to troubleshoot this 5 days working on this error no changes so far, thanks in advance if u can figure it out....

    Hi willjohn520,
    Based on your description, it seems that you are getting the error when you connect to report server reports in workstation. If in this scenario, the issue can be caused by “Host Header”(<foo>) in  a URL that looks like http(s)://<foo>/reports
    is neither the machine name nor the loop back IP address nor the machine's IP address.
    For more details information about this issue, please refer to the following blog:
    http://blogs.msdn.com/b/lukaszp/archive/2008/07/18/reporting-services-http-401-unauthorized-host-headers-require-your-attention.aspx
    Hope this helps.
    Thanks,
    Katherine Xiong
    Katherine Xiong
    TechNet Community Support

  • Problem with multiple Toplink/JPA apps in same server

    Anyone have experence of running serveral Toplink/ EJB-3 Web apps in the same server (OC4J, alas)?
    We seem to get a problem with the second app failing to initialise toplink, with an entity not found message. Each app runs OK on it's own.

    Yes, they access the same datasource and most of the tables overlap.
    We're thinking it might help to have common entity classes and put them in a shared library, but I don't know if this is relevant (setting up shared libraries complicates testing and tends to snowball, I reckon we need about 15 jars all told).
    I''ve had some funnies on OC4J before which I think may be to do with it's use of ClassLoaders, for example I initially put persistence.xml in the libary jar with the data model, but for some reason I get the entity not found error that way. It only seems to work if it's in the classes folder.
    For the moment we're getting arround the problem with multiple OC4J instances in the server.

  • Deploying a copy of existing database with a different name on the same server

    I am a developer(an inexperienced one) trying to understand what is the best way to deploy a brand new database with
    the exact same schema as an existing DB on the same server, but with a different name. I want to preserve the data in all reference tables which I can do by having the relevant post-deployment scripts run after the deployment. 
    What I can't understand is how the project should be set up to deploy database Customer_2 if database Customer_1 exists on
    this server - the Visual Studio project contains DB Customer and I need to find a way to be able to deploy Customer_N (but without creating N identical DB's in the project). I checked a ton of articles and blogs, and feel dumb asking this question but haven't
    been able to understand it yet. Any help would be appreciated.

    Hello,
    Maybe the TargetDatabase and the DeployToDatabase properties can help you.
    http://www.asp.net/web-forms/tutorials/deployment/web-deployment-in-the-enterprise/deploying-database-projects
    You can deploy multiples databases from one project if you want, as explained on the following
    post:
    http://stackoverflow.com/questions/1544966/gdr-deploying-multiple-database-targets-with-one-project
    Hope this helps.
    Regards,
    Alberto Morillo
    SQLCoffee.com

  • Problem with User Defined Second Selection Screen

    Hi Gurus,
                       I have a problem with the selection  screen selections. My requirement is that , User when he selects a check box on the main selection screen ( which is 1000) then at the at-selection event, another screen (whose number is 2000) will be called and it has some parameters to enter values. My problem is that how to get the values from this second screen and use them in the in my program. There is an execute button on the second selection screen and when i click that, nothing is happening.
                       Can anybody suggest me how to get the values from this screen which we called, and entered values in that screen. How to use these values and is there any way that we can do this.
    Thanks in advance for helping me out.
    Regards,
    Srinivas.

    Use <b>DYNP_VALUES_READ</b> FM to read the values from your dynpro screen...
    Like this...
    DATA: ls_dyname     TYPE d020s-prog,
            ls_dynumb     TYPE d020s-dnum.
    gt_dynpfields TYPE STANDARD TABLE OF dynpread WITH HEADER LINE.
        ls_dynumb = '0112'.
        gt_dynpfields-fieldname = 'RF05A-NEWKO'.
        APPEND gt_dynpfields.
      CALL FUNCTION 'DYNP_VALUES_READ'
        EXPORTING
          dyname               = ls_dyname
          dynumb               = ls_dynumb
        TABLES
          dynpfields           = gt_dynpfields
        EXCEPTIONS
          invalid_abapworkarea = 1
          invalid_dynprofield  = 2
          invalid_dynproname   = 3
          invalid_dynpronummer = 4
          invalid_request      = 5
          no_fielddescription  = 6
          invalid_parameter    = 7
          undefind_error       = 8
          double_conversion    = 9
          stepl_not_found      = 10
          OTHERS               = 11.
    Greetings,
    Blag.

  • Installation fails with user is not an administrator Acrobat XI Pro Win ESD

    After several attempts to install Acrobat XI Pro Win ESD, each try failing at the same step. The error message indicates that the user is not an administrator. This is not true.
    I have uninstalled Adobe reader, restarted, and installed again, resulting in the same failure. System OS, Win 7
    Any ideas?

    I and many other people have successfully installed in Win 7 and Win 8 without issue, so something specific with your system is the cause. Run the Acrobat cleaner to remove anything left over from previous attempts.
    Download Adobe Reader and Acrobat Cleaner Tool - Adobe Labs
    Then make sure that all extraneous software is turned off. No virus or spyware protection, nothing running in the background that you don't need to have running. I haven't tried in Windows 8, but in Windows 7:
    click on the start menu
    in the Search panel type: msconfig
    See if you can install during a Safe boot. If something is necessary for installation that is not available during a Safe boot,
    then look Startup Processes and turn off what you can, reboot and try again.

  • Sync failed with user datastore

    Hello,
    When using ctx_ddl.sync_index in 8.1.7 on a user datastore index, the synchronization is not done (same values in dr$<IDX>$i). If I drop and recreate the index, values in dr$<IDX>$i are correct. ctx_ddl.sync_index works ok with other indexes (non user datastore).
    Is this a limitation, or is there another way to sync a user datastore index?
    Thanks and have s good day
    Eric
    null

    More info:
    In fact sync and drop/recreate impact a user datastore index in different ways: sync creates new tokens (token_text) in dr$<IDX>$i, and drop/recreate groups token and increment references (token_count).
    Assuming it's a feature, does it impact the search in any ways? If so, which method is recommended: sync or drop/recreate?
    Thanks in advance
    Eric
    <BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR>Originally posted by eric vespierre:
    Hello,
    When using ctx_ddl.sync_index in 8.1.7 on a user datastore index, the synchronization is not done (same values in dr$<IDX>$i). If I drop and recreate the index, values in dr$<IDX>$i are correct. ctx_ddl.sync_index works ok with other indexes (non user datastore).
    Is this a limitation, or is there another way to sync a user datastore index?
    Thanks and have s good day
    Eric<HR></BLOCKQUOTE>
    null

  • Why I failed to start a second webserver in same weblogic server installed one machine

    Everyone,
              I want to start a second webserver bindding with intranet IP address,
              same time, one webserver had been started in this weblogic server in
              extranet ip address.
              But i cann't configurate it successfully.Why ? Help me !
              Thinks everyone
              [email protected]
              

              They need to use different IP address and the same port number if they are to
              be clustered. If they are not to be cluster they can simply use different port
              numbers.
              On Unix, the ifconfig command can be used to create virtual IP addresses.
              Mike
              [email protected] (jiangxianlou) wrote:
              >Everyone,
              >
              >I want to start a second webserver bindding with intranet IP address,
              >same time, one webserver had been started in this weblogic server in
              >extranet ip address.
              >But i cann't configurate it successfully.Why ? Help me !
              >
              >Thinks everyone
              >
              >[email protected]
              

  • RDP using Smartcard fails with NLA for non-domain members

    We have to administer Windows 2008 R2 servers which are in domains we are not members of - typically domains that support a particular application. We have DoD smartcards (CAC) and we admin from our Windows 7 desktops. If we disable NLA, we can CAC-authenticate
    over RDP just fine. With NLA enabled, though, we get "The remote computer you are trying to connect to requires NLA but your Windows domain controller cannot be contacted to perform NLA".
    My assumption would be that the Win7 desktops would never know where the particular ADCs are, since we're not domain members, but that they actually need to verify the DoD root cert that signed our CAC. Said root cert has been installed on our desktops and
    on the servers in the domains.
    What is necessary to get NLA with smart cards working for non-domain members?
    Edit: With NLA enabled I *can* connect over RDP from one of the domain members to another, so this really seems specific to the non-member desktop settings and how it performs NLA

    Hi,
    Thank you for posting in Windows Server Forum.
    If you use the credential SSP on Windows Vista or Windows 7 to log on with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel
    cannot be established without the root certification of the domain controller.
    You can use following command for adding certificate.
    certutil –addstore –enterprise NTAUTH <CertFile> 
    Where <CertFile> is the root certificate of the KDC certificate issuer.
    More information.
    Smart Card and Remote Desktop Services
    http://technet.microsoft.com/en-us/library/ff404286(WS.10).aspx
    Apart there is one Hotfix might resolve your case, go through beneath link once.
    RDS client computer cannot connect to the RDS server by using a remote desktop connection in Windows
    http://support.microsoft.com/kb/2752618
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    TechNet Community Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • On new MacPro with Microsoft Office, two email accounts (same server) yet one is fine the other dumps 35,000 emails into inbox. Apple consultants no help. How do I get the 35000 email account fixed?

    On new MacPro with Microsoft Office. Two email accounts, same service provider and server, yet one email account is fine and the other dumped the entire server of 35,000 emails into inbox. Need to keep server load for business, but how can emulating server on one account be fixed?

    You should clean up your inbox on the server. Log into the account's web interface and move the 35,000 emails out of the inbox into another folder. Why do you need to keep 35,000 emails in the inbox? An email client like OutLook etc. using POP protocol downloads all the inbox emails to your computer.

  • Exchange 2007 - Send As Permission

    Hello, I have Exchange Server 2007 installed on my Windows Server 2008 system and am using an ASP.NET web application to send an e-mail message when certain events occur.  My problem is that I have everything set up and functioning properly, the e-mail message is sent with the designated e-mail address and I receive the e-mail message with no problems.  In order to do this, I have a generic e-mail address that I created for my domain and granted that generic e-mail address "Send As" permission for a different domain e-mail address and use the generic e-mail address in my ASP.NET web application for security purposes.
    My problem is the "Send As" permission seems to disappear very frequently.  It seems that I need to go into the Exchange Management Console and grant this Send As permission every time my server is rebooted, or even after going into Exchange Management Console to "Look around" and see what I have set up.  Does anybody know if there is a way to make the grant of Send As permission permanent so I don't have to constantly re-grant it?  I have applied SP1 to Exchange Server 2007 and am always sure to apply the most recent patches, etc. as soon as they are released.
    Thanks in advance!
    Tim

    Dear customer:
    Thanks for Bala’s reply. He is right.
    Active Directory uses a protection mechanism to make sure that ACLs are set correctly for members of sensitive groups. The mechanism runs one time an hour on the PDC operations master. The operations master compares the ACL on the user accounts that are members of protected groups against the ACL on the following object:
    CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>
    Note "DC=<MyDomain>,DC=<Com>" represents the distinguished name (DN) of your domain.
    If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the adminSDHolder object (and ACL inheritance is disabled). This process protects these accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit where a malicious user has been delegated administrative credentials to modify user accounts. Be aware that when a user is removed from the administrative group, the process is not reversed and must be manually changed.
    The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4:
    • Administrators
    • Account Operators
    • Server Operators
    • Print Operators
    • Backup Operators
    • Domain Admins
    • Schema Admins
    • Enterprise Admins
    • Cert Publishers
    Additionally the following users are also considered protected:
    • Administrator
    • Krbtgt
    So first, please check whether the user that you grant “sends as” permission for it belongs to the above group.  If so, open ADSIEDIT.msc,  Check"Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here" option on the adminSDHolder. And replicates all the DC, and grant “send as” permission for the user again via EMC, check whether the “send as” work fine.
    For more information about adminSDHolder, please refer to “MORE INFORMATION” section in the following article:
    Delegated permissions are not available and inheritance is automatically disabled
    http://support.microsoft.com/kb/817433/en-us
    Additionally, for more information about Exchange 2007 Permissions, please refer to the following documents:
    Exchange 2007 Permissions: Frequently Asked Questions
    http://technet.microsoft.com/en-us/library/bb310792.aspx
    Hope it helps. If you have any question, please feel free to let me know.
    Rock Wang - MSFT

  • Send As permission not working - Exchange 2010

    Trying to allow a user to send as from a distribution list on Exchange 2010. I ran the following command:
    Add-ADPermission -identity "Algentis - HR" -user mwong -AccessRights ExtendedRight -ExtendedRights "Send as"
    The users gets an access denied NDR error message in Outlook (both cached and non-cached mode) as well as OWA. Here is the exact NDR:
    Delivery has failed to these recipients or groups:
    [email protected]
    You can't send a message on behalf of this user unless you have permission to do
    so. Please make sure you're sending on behalf of the correct sender, or request
    the necessary permission. If the problem continues, please contact your
    helpdesk.
    Please help!

     Try to send mail through OWA, it may work. If it is, then it's Outlook issue.
    Solution: Have user update the offline address book (click Send/Receive tab, click Send/Receive groups and select Download Address Book). Better yet,
    1) Close Outlook
    2) Delete the offline address book folder under “C:\Users\username\AppData\Local\Microsoft\Outlook\Offline Address Books”  (I assume it’s Windows 7 computer, look under C:\documents and settings\username\…. for XP computers).
    3) Open Outlook and let it download new OAB.
    Other Possibilities are,
    1) You just gave “Send-As” permission for the user. Then, you have to wait for few hours. (you may restart Information Store to take effect the permission right away, who wants to do it?
    2) User’s Outlook got bad/outdated cached contact information. Search for *.NK* files under user’s profile and delete it. Obviously Close the Outlook first before you delete the *.NK* files.
    Please check this from your end & if you face any issue or have any query please let me know.
    Check the below mentioned link for your reference.
    http://anandthearchitect.wordpress.com/2011/07/17/exchange-2010-you-cant-send-a-message-on-behalf-of-this-user-unless-you-have-permission-to-do-so/

  • Exchange 2013 send as permission not allowed

    We have a Exchange 2013 server and Outlook 2010 clients. I have set full permission on other mailboxes with Powershell and in the ECP I set Send As permission for this user. But when I start Outlook 2010, go to the mailbox of one of the users and try to
    send an email as this user, the Outlook gives the error that send as is not allowed. What could the problem be?

    Hi,
    Please log in the Exchange Admin Center in Exchange 2013 to check whether the permissions are configured properly:
    1. Access ECP URL in IE to logon EAC as an administrator.
    2. Click recipients > Mailbox.
    3. Double-click the userA which is set full access permission and send as permission.
    4. In the User Mailbox window, click mailbox delegation to check whether the userB is listed under Send As and Full Access permission.
    If the permission is configured correctly, please try removing the permission and re-add it to check whether the issue persists.
    Thanks,
    Winnie Liang
    TechNet Community Support

  • 'Send as' permission across forest not working

    I want to grant 'send-as' permission to an user on a distribution group (security group) of different forest.
    I tried granting this via Active Directory but whenever we try to send mail as this distribution group, Outlook complaints "You can't send a message on behalf of this user unless you have permission
    to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk."

    Hi,
    Please make sure two forests are trusted each other. And both the user and the distribution group are not hidden from address list and have mailbox enabled. Please run the following command to check whether the user is assigned to send as permission:
    Get-ADPermission DistributionGroup| where {($_.ExtendedRights -like “*Send-As*”)}
    If all configuration are correct, please restart the Microsoft Exchange Information Store service in Exchange server and create a new profile in Outlook to have a try.
    Thanks,
    Winnie Liang
    TechNet Community Support

Maybe you are looking for