"Send on behalf" permission is not assigned to a user after you delegate access in Outlook

This article was previously published under Q329622
This article has been archived. It is offered "as is" and will no longer be updated.
When you use Microsoft Outlook to try to delegate access to your mail folders to another user, the user to whom you delegate this access may not receive the "Send on behalf" permission. When you click Delivery Options on the Exchange General tab of your user account properties, the account to whom you tried to delegate access may not be listed in the Grant this permission to list under Send on behalf.
This problem may occur if your MAPI client program points to a global catalog server that is in a domain other than that of your user account.

Global catalogs are chosen based on the site in which the Exchange server resides. Exchange determines to which site it belongs, locates all global catalogs in the site, and then distributes them to MAPI clients to use for directory queries. However, although the global catalog contains a list of all objects in the Active Directory forest, it only contains a read-only copy of objects in other domains. In this case, this is the domain that contains your user account.

When the Name Service Provider Interface (NSPI) that MAPI uses for directory queries contacts the global catalog server in a domain other than that which contains your user account, it obtains a read-only copy of the object. When you try to change the properties of this read-only copy of the object, you are unsuccessful.
To work around this problem, use one of the following methods:
  • Have an Exchange administrator grant the required "Send on behalf" access. To do this, the administrator should follow these steps:
    1. Access the properties of the mailbox owner user object through the Active Directory Users and Computers management console on an Exchange server or an Exchange System Administrator workstation.
    2. In the Exchange General/Delivery Options dialog box, add the delegate account to the Send on behalf list.
  • Move the mailbox-enabled user to the same domain to which the Exchange 2000 Server-based computer belongs.
  • Configure mailboxes to use a global catalog that is in the same domain as their own mailbox-enabled user object.

    Note This method affects only those Outlook clients that connect by using MAPI.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
For scalability and resilience, the local Active Directory domain is replicated between sets of domain controllers. However, some programs and services such as Exchange 2000 require access to a full listing of the objects in Active Directory to perform forest-wide queries. Global catalog servers exist for this purpose. Any domain controller can become a global catalog server. Global catalog servers hold the configuration and schema naming contexts for the forest. This is a complete replica (read/write) of the domain-naming context in which the server is installed, and a partial replica (read-only) of all other domains in the forest. A partial replica indicates that although every domain object is represented in the global catalog, only a limited number of attributes for that object are replicated to it. For example, although the user "Joe User" is represented in the global catalog, his telephone number is not, although "Joe's" telephone number has been entered into the Active Directory.For more information about how MAPI clients use Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
256976 How MAPI clients access Active Directory
On an Exchange 2000 Server-based computer with Service Pack 1 or later installed, you can view the global catalog servers that it distributes to MAPI clients:
  1. Start Exchange System Manager. To do this, click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups if Administrative Groups is enabled, expand Servers, right-click the Exchange 2000 Server-based computer that you want to view, and then click Properties.
  3. Click the Directory Access tab, and then click Global Catalog Servers in the Show list.
On Microsoft Outlook 2000 SR-1 and later clients, you can use Registry Editor to view the global catalog server that is used:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Click the following registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dca740c8c042101ab4b908002b2fe182
  3. In the right pane, the global catalog server to which Outlook points is listed in the Data column.
  4. Quit Registry Editor.

Article ID: 329622 - Last Review: 12/07/2015 12:45:42 - Revision: 3.3

Microsoft Exchange 2000 Server Standard Edition

  • kbnosurvey kbarchive kbbug kbpending kbui KB329622