Doing an exchange migration between AD Forests, Logging in as my new account, I was able to give myself rights via Exchange and AD to my old mailbox in the old domain. Exchange permissions were a snap, the only exception is that they had to be done via powershell since the Exchange 2007 GUI doesn't allow you to 'pick' users from another forest. Granting the Send As AD Right is also done with powershell , such as
Add-ADPermission "brian smith" -user newADDom\bsmith -ExtendedRights Send-As
However, every 15 minutes or so I noticed that this right would vanish, i'd do a
Get-ADPermission "Brian Smith" ft -wrap > c:\Brian.txt
and notice there was no permissions to newADDOM\bsmith.
I found out one of the security restrictions is that Domain Admins and Enterprise Admins can't have "send-as" rights to another mailbox. Therefore I have to remove myself from those groups in order to work in a Send-As Scenario. Nice Job Microsoft, way to use a 'best practice' guide as an excuse not to fix a huge bug. There are work arounds, but they look to difficult to bother with for the short time before we migrate.
NOTE: you really gotta make sure its removed from all of the groups that are members of any of the other builtin groups.
No comments:
Post a Comment