Problem solve Get help with specific problems with your technologies, process and projects.

Exchange Server permissions patch may disrupt mobile messaging

An Exchange Server patch that changes the way "Full Mailbox Access" and "Send As" permissions work can also disrupt BlackBerry, GoodLink, and other mobile messaging services.

A Microsoft patch for Exchange 2000 and Exchange 2003 that changes the way "Full Mailbox Access" and "Send As" permissions work can also disrupt BlackBerry, GoodLink, and other mobile messaging services.

Do you have the patch?

The patch's permission changes are integrated into the Exchange Server message store (store.exe). Exchange admins who apply the message store update to take care of unrelated issues are often surprised when permissions-related problems manifest.

The change was first made to version 6619.4 of the store.exe file found in Exchange 2000 Server, and will be present in all subsequent versions. This version was first made available in Microsoft Knowledge Base article 915358, A hotfix is available to change the behavior of the Full Mailbox Access permission in Exchange 2000 Server.

Figuring out whether or not the patch has been applied to Exchange Server 2003 is a little trickier. For servers running Exchange 2003 with Service Pack 1, the patch will be present in version 7233.51 and higher of store.exe. However, if you're running Exchange 2003 with Service Pack 2, the patch is present in store.exe versions 7650.23 and higher.

Exchange 2003 Service Pack 2 does not contain the patch. Therefore, if you are currently running the patch under Service Pack 1, and you decide to upgrade to Service Pack 2, you will have to apply the Service Pack 2 version of the patch. Instructions for obtaining the necessary Exchange 2003 hotfix can be found in Microsoft Knowledge Base article 895949, "Send As" permission behavior change in Exchange 2003.

The patch's purpose and problem

Previously, if a user was granted "Full Mailbox Access" permission to another user's mailbox, the user would have "Send As" rights as well. The patch separates the "Full Mailbox Access" permission from the "Send As" permission, so that granting "Full Mailbox Access" permission to a user does not automatically allow the person to also send email on behalf of another user.

This change was made so that security could be preserved during disaster recovery situations. For example, consider a disaster recovery situation in which an administrator needed full mailbox access to all mailboxes in order to be able to salvage the mailbox contents. Before, the administrator could not be have "Full Mailbox Access" permission without also having "Send As" rights. The permissions patch helps reduce the chances of message spoofing.

The problem is that, in many organizations, the "Full Mailbox Access" permission is used in place of the "Send As" permission. So, if users have been granted the "Full Mailbox Access" permission, but not the "Send As" permission, they will no longer be able to send messages on behalf of other mailbox owners.

On the surface, you might expect that this change would only affect administrative assistants who typically send messages on behalf of busy executives. However, this change in permissions also tends to effect users who send email from mobile devices. Many mobile devices work by "impersonating" the mailbox owner and are especially susceptible to the change in the way that permissions work.

The solution

If updates to the message store cause mobile messaging problems or if you are concerned that you could start having problems the next time Exchange Server is updated, the solution is simple. All you have to do is to grant the "Send As" permission to any user who previously had the "Full Mailbox Access" permission and needs to be able to send mail on behalf of another user (either as part of their job or because of the way that your mobile messaging solution works).

If you have a lot of users, this probably sounds like a very tedious process, but Microsoft has made it easy by providing a script in Knowledge Base article 912918; it will export a list of all users who have the "Full Mailbox Access" permission, but who do not have a corresponding "Send As" permission.

Once you know which users may require the Send As permission, you can use Active Directory Users and Computers (ADUC) to assign the necessary permission:

  1. Begin the process by verifying that the Advanced Features is selected on the ADUC console's View menu.
  2. Now that the Advanced Features are enabled, right-click on the user account belonging to the mailbox owner and select Properties.
  3. Select the Security tab and click the Advanced button.
  4. Go to the Permissions tab and double-click on the user for whom you need to grant Send As permissions. If the user is not listed, click the Add button and specify the user's name.
  5. You should now see the "Permissions Entry for Users" dialog box. Select the Send As checkbox in the Allow column.
  6. Continually click OK until you have closed all of the open dialog boxes.

Full documentation of the issues discussed in this tip and more in-depth instructions on how to fix them can be found in the aforementioned Microsoft Knowledge Base article 912918, Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
 

Dig Deeper on Enterprise mobile app strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchNetworking

SearchUnifiedCommunications

SearchSecurity

Close