Article ID: 907434 - View products that this article applies to.
You explicitly configure the Send As right on a user object in the Active Directory Users and Computers snap-in in Microsoft Exchange Server. However, the Send As right is removed from the user object about one hour after you configure the Send As right.
Additionally, other changes that you made to the security descriptor on the user object may be removed. For example, the Allow inheritable permissions from parent to propagate to this object check box may no longer be selected.
If you have an environment that includes Microsoft Exchange Server 5.5 and a functioning Active Directory Connector (ADC), Exchange Server 5.5 mailboxes that are configured to use Active Directory user accounts that are members of protected groups may appear as "CUSTOM" in the Exchange Server 5.5 Administrator program.
The Active Directory directory service has a process that makes sure that members of protected groups do not have their security descriptors manipulated. If a security descriptor for a user account that is a member of a protected group does not match the security descriptor on the AdminSDHolder object, the user's security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object.
The Send As right is delegated by modifying the security descriptor of a user object. Therefore, if the user is a member of a protected group, the change is overwritten in about one hour.
We recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you require the rights that are afforded to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group and one user account that is used for e-mail purposes and at all other times.
The following information can help you work around the problem in which Exchange Server 5.5 mailboxes appear as "CUSTOM" for the user in the Exchange Server 5.5 Administrator program. The workaround relies on the fact that the SELF access control entries (ACEs) should be present on the user object when the user object is replicated to Active Directory by the Active Directory Connector (ADC).
You can use the Dsacls.exe utility to add the entries that are being stripped off the user objects. To do this, change the AdminSDHolder permissions. Then, add the entries that you want. Because all the entries use the security principal SELF, this workaround should not introduce any security problems.
Note You must run the Dsacls.exe utility one time to add the one access control entry that is missing from the AdminSDHolder security descriptor. For example, if you want to add six different entries, you may run the Dsacls.exe utility six times.
The following workaround changes the AdminSDHolder object. Then, the AdminSDHolder object is propagated to each user account that is a member of a protected group. Follow these steps:
926666If you do this, you must prevent the AdminSDHolder from overwriting permissions that are granted to a BlackBerry Services account on protected groups. To do this, create a batch file that contains the following code:
(http://support.microsoft.com/kb/926666/ )Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2
Note In this batch file, BlackBerrySA is a placeholder for name of the BlackBerry Service account. If you have accounts in multiple domains, you can also specify the domain in the command line by using the following format:Domain\BlackberrySA.
Alternatively, we recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about how to delegate "Send As" rights to a user account, click the following article number to view the article in the Microsoft Knowledge Base:
281208For more information about the AdminSDHolder object, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/281208/ )How to grant a user "Send As" rights in Exchange Server 5.5 and Exchange 2000
(http://support.microsoft.com/kb/232199/ )Description and update of the Active Directory AdminSDHolder object
817433The location of the AdminSDHolder object is as follows:
(http://support.microsoft.com/kb/817433/ )Delegated permissions are not available and inheritance is automatically disabled
CN=AdminSDHolder,CN=System,DC=MyDomain,DC=ComNote Replace DC=MyDomain,DC=Com in this path with the distinguished name of your domain.
The following list contains the protected groups in Windows 2000:
(http://support.microsoft.com/kb/327825/ )New resolution for problems with Kerberos authentication when users belong to many groups
Article ID: 907434 - Last Review: October 25, 2007 - Revision: 10.4
Contact us for more help
Connect with Answer Desk for expert help.