Access denied when you try to give user "send-as" or "receive as" permission for a Distribution Group in Exchange Server 2010 or Exchange Server 2013

Applies to: Exchange Server 2013 EnterpriseExchange Server 2013 Standard EditionExchange Server 2010 Enterprise More


Assume that you create a Distribution Group on one Microsoft Exchange Server. In this situation, you cannot grant users the send-as or receive-as permission to the Distribution Group by using add-ADPermission cmdlet from other Exchange Servers. You receive the following error message:

Active Directory operation failed on <>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : 5557AD82,Microsoft.Exchange.Management.RecipientTasks.AddADPermission


By default Exchange Trusted Subsystem is not granted the "modify permissions" permission. This causes the Add-ADPermission cmdlet to fail with an Access Denied error. 


To work around this issue, add the "modify permissions" permission for the Exchange Trusted Subsystem to the organizational unit (OU) that contains the Distribution Group by following these steps: 
  1. Open Active Directory Users and Computers.
  2. Click View, and then click Advanced Features.
  3. Right-click the OU that contains the distribution lists, and then click Properties.
  4. In the Security tab, click Advanced.
  5. In the Permissions tab, click Add.
  6. In the Enter object name to select box, type Exchange trusted subsystem, and then click OK.
  7. In the Object tab, select This object and all descendants objects in the Apply onto list, locate Modify Permissions in the Permissions list, and then set it to Allow.
  8. Click OK.