Users no longer have Send As permissions

Similar Messages

• User does not have the propoer permissions to setup Networks

  Hi all,
  I was happily setting up networks and watching them be created in CPO from SE 3.01 Setup Wizard only to go back later and realize that a Cloud Portal Cancel Service Request had basically removed them all approximately 3 minutes after I had set them up!!!!
  It seems the user I was using didn’t have the correct authority to do this operation. See below…………
  System (External) on 08/03/2012 3:10 PM "[NT AUTHORITY\SYSTEM (03/08/2012 16:10:53) - Service request cancelled due to an error.
  Error Code: 1009
  Error Description: The remote server returned an error: (401) Unauthorized.
  User does not have proper authentication.
  Automation Summary URL: \\CPO-DEV-01.uktme.cisco.com\AutomationSummaries\20120803\9ca]"
  System (External) on 08/03/2012 3:10 PM "[TEO change request 'Add Network' was marked canceled by 'NT AUTHORITY\SYSTEM'.]"
  The interesting thing is that I am using the cloud admin setup in the wizard who belongs in the Cloud Provider OU and this OU seems to have all the correct setting ( I checked with a parallel working system) but it was missing the nsAPI user in the OU so I added this.
  One further clue is the I suspect steps 1 + 2 when using the wizard didn’t have connectivity from CCP to CPO at the time as the authentication wasn’t setup correctly but I though these step were REX internal to CCP only so this and CCP to CPO connectivity didn’t matter too much. Regardless we fixed this connectivity at this stage to proceed to step 3.
  Now I suspect in step 1 & 2 sets up some user accounts in CPO for these operations and I am nervous about going back and deleting the Cloud Admin account as I seem to remember another thread about this stating it was not possible.
  Any thoughts experts please?
  Cheers

  Hello Michael,
  I have spent the whole day on the same problem then you, which forced me to check all the aspects of my 3.0.1 Starter Edition Lab installation :
  - nsapiuser declaration in the CPO logins
  - nsapiuser member or not of the Cloud Technical administrators (thank you, chaotic documentation...)
  - IIS authentication mechanisms for RequestCenter virtual folder (disabled by default in IIS 7.5)
  But none of them solved the error.
  The closest information I get (I suppose) is from the CPO activities view, where I finally touched the process that fails:
  I did not found the solution yet, but I am sure it is there that the Portal fails to authenticate the data from the Orchestrator.
  Best regards,
  David

• My users no longer have permission to access their folders

  My users can log onto the server and see their folders, but they cannot access them. All folders appear with the "no entry" sign on them. Our servers hard drive recently failed and was replaced. This is when the problem started. What do I do?

  Can you tell if it's Time Machine that's showing that error message?  I took a look at item C5 in Time Machine Troubleshooting.  It specifically refers to Leopard (OS X 10.5), which is another confirmation that the old advice you found about that hidden file no longer applies.
  yep. it's time machine. when it tries to back up and fails, a message displays about it being read-only and to go ahead and repair it or reformat it. if i go to time machine prefs and select that drive to use for backup, that's when the other message about "necessary read, write and append privileges" displays.
  So you mean the Desktop icons for the mounted Time Capsule disk, etc.  The icon for the volume containing the "sparsebundle" files should have an AirPort fan, not a network volume icon with the three people.  Item B4 of Time Machine Troubleshooting mentions that, although I'm not sure the advice given there would be useful in your case.
  yep. i know, but that's what's there, nonetheless.
  If you launch AirPort Utility, put the Time Machine into "manual setup" mode, select the Disks panel, then the File Sharing tab, is "Enable file sharing" checked?  What is the setting for "Secure Shared Disks"?
  i checked and tinkered with this part already, too. it has always been set to enable. it originally had with "time capsule password", then i tried also with "disk password". now it's back to TC password. again, everything was fine a few days ago, and i haven't touched any airport or TM settings in probably a year or more.
  small update: i was able to get into the capsule's backups finally after a few more passes using disk repair, so i can see that it was happily backing up until the 1st, when i had the aforementioned problem with my laptop. i can't see this being mere coincidence, so i know i must've also damaged the permissions for the TM/TC at the same time.

• Send-As Permissions Randomly Failing.

  Exchange 2010 SP3 RU5
  I have a group mailbox may users have Send-As permissions to. Sending messages as the mailbox is failing randomly for many of the users. For example, UserA sends 3 messages within 10min, one of the 3 messages bounces with the NDR shown below. UserA can send
  more 10 messages the reset of the day without any issues. Then a few days later one of the messages he sends that day will bounce with the same type of NDR.
  On average there are 100+ messages sent from this mailbox each day, and probably 2 will fail.
  Any ideas on how to troubleshoot this would be appreciated.
  Delivery has failed to these recipients or groups:
  '[email protected]' <mailto:[email protected]>
  You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary
  permission. If the problem continues, please contact your helpdesk.
  Diagnostic information for administrators:
  Generating server:
  [email protected]
  #MSEXCH:MSExchangeIS:/DC=com/DC=Domain/DC=DSRoot:MBX01[578:0x000004DC:0x0000001D] #SMTP

  Hi,
  According to your description, I understand that the issue occurs randomly. Please double confirm the send as permission has been given for the users who have problems for sending from this mailbox.
  How many users have been given send as permission? Please send a test email again from this mailbox to check whether the issue can be reproduced for the problematic user. If the issue doesn’t occur when resending a message from this mailbox
  for the problematic user, please remove the send as permission for this user then add it back and
  restart the Microsoft Exchange Information Store service to have a try.
  Regards,
  Winnie Liang
  TechNet Community Support

• Prevent emails without send as permissions being sent

  Hello,
  If I don't have send as permissions and I try to send as someone it sends the message and I get a NDR. Is it possible to stop the email being sent so that you don't get the NDR?
  Once it is sent it's not in sent items so the original is lost. Any way to stop that happening?
  Thanks

  i dont understand as to why we need to send an email from some one with out permission ... its obviious that we will get the NDR if we send it with out permission and that is how is designed to restrict such activity
  I am not sure if there is any way to restrict in sending the mails and dont understand as to what you are achiving by doing this 
  Contributor of http://msexchangeteam.in/ *********Please mark as answer if my post answers your query. if you find it helpful please mark it as helpful*********

• Script to find out that users do not have inheritable permission checked

  Hi all,
  I just check our AD (windows 2003 R2) and some users have "allow inheritable permissions from the parent to propagate to this object and all child objects.  include these with entries expilitly defined here" checked  if I open active directory
  users and computers console and highlight this user and go to properties and select security and click advanced).  some users do not have ""allow inheritable permissions from the parent to propagate to this object and all child objects. " checked.
  Is there a way to script to find out which users do not have "allow inheritable permissions from the parent to propagate to this object and all child objects. .." checked?
  Thank you for your help.

  There are several ways to use ADO in a VBScript program. The alternative below uses an ADO command object, so we can specify a "Page Size". This overcomes the 1000 (or 1500) limit on records returned, as it turns on paging. I have also modified
  the script for comma delimited output. This script should be run at a command prompt so the output can be redirected to a text file. For example:
  cscript //nologo FindUsers.vbs > report.csv
  The modified script follows:
  Option Explicit
  Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
  Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strNTName, strDN
  Dim objUser, objSecurityDescriptor, intNTSecDescCntrl, strInheritable
  Const SE_DACL_PROTECTED = &H1000
  ' Setup ADO objects.
  Set adoCommand = CreateObject("ADODB.Command")
  Set adoConnection = CreateObject("ADODB.Connection")
  adoConnection.Provider = "ADsDSOObject"
  adoConnection.Open "Active Directory Provider"
  Set adoCommand.ActiveConnection = adoConnection
  ' Search entire Active Directory domain.
  Set objRootDSE = GetObject("LDAP://RootDSE")
  strDNSDomain = objRootDSE.Get("defaultNamingContext")
  strBase = "<LDAP://" & strDNSDomain & ">"
  ' Filter on user objects.
  strFilter = "(&(objectCategory=person)(objectClass=user))"
  ' Comma delimited list of attribute values to retrieve.
  strAttributes = "distinguishedName,sAMAccountName"
  ' Construct the LDAP syntax query.
  strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
  adoCommand.CommandText = strQuery
  adoCommand.Properties("Page Size") = 500
  adoCommand.Properties("Timeout") = 30
  adoCommand.Properties("Cache Results") = False
  ' Run the query.
  Set adoRecordset = adoCommand.Execute
  ' Enumerate the resulting recordset.
  ' Write a header line.
  Wscript.Echo """NT Name"",""Distinguished Name"",""Allow inheritable permissions"""
  Do Until adoRecordset.EOF
  ' Retrieve values.
  strNTName = adoRecordset.Fields("sAMAccountName").Value
  strDN = adoRecordset.Fields("distinguishedName").Value
  strDN = Replace(strDN, "/", "\/")
  Set objUser = GetObject("LDAP://" & strDN)
  Set objSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
  intNtSecDescCntrl = objSecurityDescriptor.Control
  If (intNtSecDescCntrl And SE_DACL_PROTECTED) <> 0 Then
  strInheritable = "Disabled"
  Else
  strInheritable = "Enabled"
  End If
  Wscript.Echo """" & strNTName & """,""" & strDN & """," & strInheritable
  ' Move to the next record in the recordset.
  adoRecordset.MoveNext
  Loop
  ' Clean up.
  adoRecordset.Close
  adoConnection.Close
  Richard Mueller
  MVP ADSI

• In 10.7, I No longer have permissions to files I created in 10.6

  I upgraded to Lion back in 2012 from Snow Leopard on my Macpro 1,1 (Because it can't go any higher than 10.7)
  And to Mountain Lion from Snow Leopard on my Macbook Pro 5,5.
  One EXTREMELY ANNOYING change that was made (and continuing in Mountain Lion) is that I no longer have permissions to my files that once belonged to me in Snow Leopard.
  And when upgrading from 10.5 to 10.6, this was never a problem.
  If I created files or folders within Snow Leopard, once I upgraded to Lion (and Subsequently Mountain Lion on my Newer Macbook Pro), I have lost my rights to those files.
  For example:
  When I try to delete files off my system, I have to enter the password for my Snow Leopard OS (the password on the OS when the file was created).  Luckily I didn't change it.  If I didn't know the password, I would not be able to delete the file from my computer.
  When I try to move a file or folder, instead of just Moving the location of the item, it creates a Copy instead, which takes up twice the space (Yes I know there are work arounds for this such as moving to the trash then recopying, but that still takes a lot of time).
  What are the fixes to this?
  Adjusting Share & Permissions in Info does not work.
  Fixing Permission within Disk utility does not work.
  Holding down the Command key also does nothing.
  The OS is saying I do not own the file so I have to have the password from the true owner to do anything to it.
  Please help.  This is extrememly cumbersome.

  Event Video Guy wrote:
  Could you further elaborate on this Migration Assistant?
  See How do I set up a new Mac from an old one, its backups, or a PC? for an explanation of the difference between Setup Assistant and Migration Assistant and links to the gory details of each. 
  Using Migration Assistant instead of Setup Assistant usualliy causes permissions problems, as detailed in the pink box in Problems after using Migration Assistant.
  But you didn't use either; you just copied things from one user account to a different one (it may have had the same name, but a different UID), resulting in the same problem. 
  I created a file using OSX Leopard.  I used a different password.  Then I saved the file as I detailed above to the external drive.
  I upgraded back to Mountain Lion and dragged the file back to my computer.  When I tried to move or delete the file, once again, it asked me for a password before I could delete the file.
  This time, it would only accept the password from my system, when the file was created.
  If I tried to type in my current Admin password, it would not move or delete.
  The version of OSX doesn't matter.  You must have used two different user accounts -- they might have had the same name, but different UIDs.
  One user, even an Admin user, doesn't normally have permission to a different user's files.
  This is very frustrating.
  No doubt.  Since you won't read the links that would fix the problem, you're not going to understand or be able to fix it.
  Again: One user, even an Admin user, doesn't normally have permission to a different user's files.
  Last time -- there are two very different things:
  • Repair Disk Permissions via Disk Utility works on files installed by OSX or the OSX installer; not files you created, and not files on a disk that doesn't have OSX installed. See About Disk Utility's Repair Disk Permissions feature.  
  • Resetting Password and/or Home Folder Permissions sets the permissions on files in a home folder to the defaults. 

• You can't send a message on behalf of this user unless you have permission to do so

  Hi,
  We are on Exchange 2010 SP2 with multiple domain name. All works ok. We need to be able to use other domains while sending email. For example, i have a default reply address set for [email protected] along with other addresses i.e [email protected] etc on
  policy. I am receiving emails and can reply only using [email protected] I get the following error if i try to send email from [email protected]
  [email protected]
  You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the
  problem continues, please contact your helpdesk.
  Users should have the ability to choose an address as they need rather that fixing to a single 'set as reply address'. I am sure it is possible. Can some provide some help/direction?
  Thanks in advance.

  Hi Byron,
  Looked like a workable solution but could not get it to work. I am getting NDR with permission issue. I have created the distribution group with email address. Added the user in it. Given the user Full access and SEND AS permission. 
  Hi, I'm not sure what issue you are running into, but you can definitely give a user Send As permission for a group and then send as the group. I just verified in my test environment.
  To assign the Send As permission, the easy way it in AD User and Computers.
  Enable Advanced Features from the View menu first. This allows you to see the
  Security tab.
  In ADUC, find the group and open the Properties.
  On the Security tab, Add the user.
  With the user selected in the list, Allow the Send as
  permission.
  There may be a bit of lag time before that begins to work as Exchange may have cached some AD permissions, but it definitely works.
  Byron Wright (http://byronwright.blogspot.com)

• IDocumentQuery.Execute() method throws user does not have edit permissions exception

  I'm trying to query a document folder for all of its containing documents. Its a basic query like this:
  IPortletContext PortletContext = PortletContextFactory.CreatePortletContext(Request,Response);IRemoteSession PTSession;PTSession = PortletContext.GetRemotePortalSession();IDocumentManager documentManager = PTSession.GetDocumentManager();
  IDocumentQuery documentQuery = documentManager.CreateQuery(FolderID); documentQuery.SetSortProperty(ObjectProperty.Name);IObjectQuery queryResults = documentQuery.Execute();
  When I'm logged into the portal as an administrator, everything works fine. However if I'm logged in as a "regular" user, I get this exception when calling the Execute() method:
  Plumtree.Remote.PRC.PortalException: Exception of type Plumtree.Remote.PRC.PortalException was thrown. ---> System.Web.Services.Protocols.SoapException: Server was unable to process request. --> Access denied: Current user does not have edit permission
  I'm sending the Login Token to the portlet. Now I've tried giving the user Edit rights on the document folder as well as Edit the Knowledge Directory rights in the Activity Manager, but neither gets rid of the exception. I'm not sure what other "Edit" permissions to check. I don't even see why the user would need "Edit" permission to anything in the first place since the Execute() method simply returns an IObjectQuery that doesn't have any ability to make changes to any objects. I know that I could use the SearchFactory interface, but I wanted the results to be real time. Any help would be much appreciated. Thanks!
  Jimmy

  The problem here is that the query is created with default settings to show unapproved documents -- only users with edit access can see unapproved documents. Add the bold line to your code and it will work.
  IDocumentManager docManager = prcSession.GetDocumentManager();IDocumentQuery docQuery = docManager.CreateQuery(iFolderID);docQuery.SetShowUnapproved(false);IObjectQuery queryResults = docQuery.Execute()

• I'm trying to set up a iTunes allowance account for my 11 year old daughter, I set up the account but put in the wrong email address, now it's trying to send the verification email to an old addy I no longer have access to. Help.

  I'm trying to set up a iTunes allowance account for my 11 year old daughter, I set up the account but put in the wrong email address, now it's trying to send the verification email to an old addy I no longer have access to. Help.
  I've tried looking at my own itunes account but I cannot seem to find the allowance account, it says I currently have zero allowance accounts.
  All I want to do is change the assigned email address.

  Who is the email provider? Not all accounts can be set up as POP3

• How do I configure a user account to have 'logon as a service' permissions?

  How do I configure a user account to have ‘logon as a service’ permissions?
  This is for CRM application use and need to enable permission via GPO
  Microsoft TechNet Forum Bandara

  Hi,
  It seems that you know the group policy “Log on as a service” can achieve your goal, so I would like to confirm what do you want to ask?
  If you do not know the path of the group policy “Log on as a service” in domain, you may expend Computer Configuration\Windows Settings\Security
  Settings\Local Policies\User Rights Assignment\Log on as a service in GPMC.
  Regards,
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Cannot delegate Reporting Services Web access to domain user / group, User does not have required permissions

  Hi
  I have an SCCM 2012 SP1 CU3 installation on a Server 2008 R2 + SQL 2008 R2.
  I'm having trouble delegating Reporting Services Web Access to a standard domain user.
  I have followed the instructions from these blogs:
  http://blog.coretech.dk/kea/creating-the-reporting-user-role-in-configmgr-2012/
  http://www.wolffhaven45.com/blog/sccm/assigning-users-to-configmgr-reportusers-group-in-sccm-2012/
  No matter how I try, I cannot get the reports to show for a standard domain user. In the console no reports are showing and in the web access I get
  "User domain\user does not have required permissions........"
  The only thing that is consistenly working when I test is to put the AD Group on the Security Role "Full Administrator".
  Then everything will show up.
  Any ideas on how to troubleshoot this?

  Thanks everyone for helping me with tips. I have now solved the problem. It was the permissions from SCCM that did not replicate to the Reporting Server.
  In srsrp.log I got these error messages:
  Could not retrieve the reporting service name for instance 'MSSQLSERVER'
  Invalid class
  Could not stop the reporting serviceAfter googling a litte I found these 2 sites with similiar problems:http://social.technet.microsoft.com/Forums/en-US/d4a7f93a-506f-4e3f-b5fc-bd2b087277da/ssrs-permissions-do-not-add?forum=configmanagergeneral
  http://www.microtom.net/microsoft-system-center/software-distribution/sccm-2012-reporting-services-do-not-install
  So I ran the command for SQL 2008 R2: mofcomp.exe C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqlmgmproviderxpsp2up.mof
  and BAAM, everything started to work =)
  /ALX

• The logged in user does not have permissions to perform this operation

  OIM 11.1.2.0.4
  Connector: Microsoft Active Directory User Management 11.1.1.5.0
  Action: revoke a provisioned AD account (logged in user is XELSYSADM member of SYSTEM ADMINISTRATIONS role)
  Error message: IAM-2050243 : Orchestration process with id 5756, failed with error message IAM-4065011 : An error occurred in oracle.iam.provisioning.spi.DOBProvisioningMechanism/revoke(Account) while revoking account with id 1 for the user with key 43 and the cause of error is The logged in user does not have permissions to perform this operation..

  The problem is missing entries into table AAD, Provisioning API uses table AAD to check administrator's scope on the user's organization.
  TEST: following SQL statement should return at least a value
  select aad_write, aad_delete
  from aad aad
  , usr usr
  where aad.act_key = usr.act_key
  and usr.usr_key = <user_key_of_user_you_wanto_to_revoke>
  and aad.ugp_key in (
  select ugp.ugp_key
  from ugp ugp
  , usg usg
  where ugp.ugp_key = usg.ugp_key
  and usg.usr_key = <user_key_of_xelsysadm>
  BUG (in my case): if you create an Organization using a OIM user that does not have any Role (except default ALL USERS Role) the system does NOT add right entries into AAD table, so you can revoke account of users that are members of this Organization
  WORKAROUND: manually insert entries for all Organizations (ACT_KEYs) for the user XELSYSADM into AAD table
  FIX: always create an Organization using a OIM users with at least one Role except ALL USERS role

• Is it possible for a Web Part to interact with a list the user does not have permissions for?

  Say I have a custom web part that queries a list or adds list items, etc. Does the user have to have the equivalent permissions on the list itself to use the web part? Would the SPSecurity.RunWithElevatedPrivileges Method be a way to get around this? Or is
  there a better way?
  Basically I want certain users to have a more controlled access to a list. But if I try to access the page with the web part on an account without permissions for the list, I get an Access Denied response.

  One way of elevating code is, as you already mentioned, using SPSecurity.RunWithElevatedPrivileges which will run SPSecurity.CodeToRunElevated with Full Control rights. From MSDN documentation of the method for SP 2013 (http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges.aspx)
  you can see that this code runs under Application Pool identity:
      Type: Microsoft.SharePoint.SPSecurity.CodeToRunElevated
      A delegate method that is to run with elevated rights. This method runs under the Application Pool identity, which has site collection administrator privileges on all site collections hosted by that application pool.
  Another method, a bit more security fine-grained, can be used. The idea is to instantiate new SPSite object using overloaded constructor which takes Microsoft.SharePoint.SPUserToken as a parameter: http://msdn.microsoft.com/EN-US/library/ms469253(v=office.15).aspx.
  Example can be seen here: http://www.sharepointdeveloperhq.com/2009/04/how-to-programmatically-impersonate-users-in-sharepoint/. Using this approach, you can run your code in the context of the user who doesn't necessarily have to be site collection admin.
  This user can have only access to the list in question.

• I have checked all of my permissions and contiue to get this message after 68% mark when trying to install Adobe flash player. User does not have sufficient privileges to install adobe flash player. A required file (C:\windows\syswow64\macromed\flash\flas

  I have checked all of my permissions and contiue to get this message after 68% mark when trying to install Adobe flash player. User does not have sufficient privileges to install adobe flash player. A required file (C:\windows\syswow64\macromed\flash\flashplayer.xpt:5) could not be written due to insufficient permission.

  Perform a clean install as described in https://forums.adobe.com/thread/928315