Access denied when you try to give user "send-as" or "receive as" permission for a Distribution Group in Exchange Server

Прилага се за: Exchange Server 2013 EnterpriseExchange Server 2013 Standard EditionExchange Server 2010 Enterprise

Symptoms


Assume that you create a Distribution Group on one Microsoft Exchange Server. In this situation, you cannot grant users the send-as or receive-as permission to the Distribution Group by using the add-ADPermission cmdlet from other Exchange Servers. You receive a message such as the following:
 
Active Directory operation failed on <computer.domain.com>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : 5557AD82,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

In this example, <computer.domain.com> represents the fully qualified domain name of the computer.

Cause


By default, Exchange Trusted Subsystem is not granted the "modify permissions" permission. This causes the Add-ADPermission cmdlet to fail with an Access Denied error in some circumstances. 
Specifically, this error will occur under either of the following circumstances:
  • If the admin user who makes the change has an associated mailbox, this error occurs if the Owner of the Active Directory group object being modified differs from the computer that hosts that mailbox.
  • If the admin user who makes the change does not have an associated mailbox, this error  occurs if the Owner of the Active Directory group object being modified differs from the computer that hosts the arbitration mailbox (the arbitration mailbox has a name that resembles SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c).

Resolution


To work around this issue, add the "modify permissions" permission for the Exchange Trusted Subsystem to the organizational unit (OU) that contains the Distribution Group. To do this, follow these steps: 
  1. Open Active Directory Users and Computers.
  2. Select View > Advanced Features.
  3. Right-click the OU that contains the distribution lists, and then select Properties.
  4. Select Security > Advanced.
  5. Select Permissions > Add.
  6. In the Permissions Entry for <OU NAME> window, select Select a principal.
  7. In the Enter object name to select box, type Exchange Trusted Subsystem, and then select OK.
  8. In the Permissions Entry for <OU NAME> window, change the Applies to value to Descendant Group objects.
  9. To clear all permission selections that have been added by default, scroll to the bottom of the window and select Clear all.
  10. In the Permissions section of the window, select Modify permissions.
  11. To apply the permission and close all windows, select OK three times.