The ability to change the way messages are processed in a
mailbox became a fundamental part of email system functionality a long
time ago. Exchange enables you to assign different levels of control
over mailboxes to influence the way messages are delivered to the
mailbox, who has the right to send messages from or on behalf of the
mailbox (there is a difference), or who has complete control over the
mailbox. These assignments can be made by changing mailbox properties
through Mail Flow Settings or by assigning different Active Directory
permissions to allow other accounts to impersonate or access contents
in the mailbox.
EAC provides three settings under the Mailbox Delegation section of a mailbox’s properties (Figure 1):
Grant Send As permission. You
can assign the ability to a user to send messages as if they were
generated by another user. This is often referred to as the
impersonation feature.
Grant Send On Behalf Of permission. You
can enable another user to send a message on behalf of a mailbox’s
owner. Exchange clearly indicates that the message is generated by one
user on behalf of another, so these messages are obviously different
from those sent using the Send As permission. Outlook users can
delegate the same permission to other users. Personal assistants who
support other people commonly use this feature.
Grant Full Access permission. You
can grant full control over the mailbox to any other mail-enabled
Windows user or to a security group. The steps necessary to assign Full
Access follow.
Tip
When
you set the new permission, allow an hour or so before you attempt to
use it to enable Exchange to refresh its Store cache from Active
Directory; you won’t be able to use the Send As permission until it is
acknowledged by the Store.
The difference between the Send
On Behalf Of and Send As features comes down to the degree of
impersonation used when a message is sent. When you use the Send On
Behalf Of feature, the messages that are delivered clearly indicate
that you have sent a message on behalf of someone else. This option is
most useful when it’s important to show that someone is assisting
another user to deal with her email. When you use the Send As feature,
the recipient sees no indication that you sent the message; it appears
to come from the person you impersonate. Usually, the Send As feature
is used for functional mailboxes that are shared by groups of users,
such as a mailbox dedicated to handling help desk queries.
Behind
the scenes, the Send On Behalf Of feature requires Exchange to
transport some additional information in the message header so that
clients can display the name of the user who actually generated the
message when the recipient views it. By comparison, the Send As feature
requires a user to possess the Active Directory permission to
impersonate someone else to send a message using his identity.
The process used to send messages with Send As permission varies from client to client. In the example shown in Figure 2,
I created a message using Outlook 2013 and added the EMEA Help Desk as
the sender in the From field. When the message was delivered, the user
read it with Outlook Web App, and the only trace of any sender
information is the EMEA Help Desk. In effect, the Send As feature
enables you effectively to impersonate another user for sending email.
EMS
is also available to manipulate mailbox delegation permissions. To
begin, the equivalent EMS command to grant the Send On Behalf Of
permission shown in Figure 1 is:
Set-Mailbox -Identity 'Tude Palma'-GrantSendOnBehalfTo "Redmond, Tony"
If
you need to grant the Send On Behalf Of permission to several mailboxes
at one time, you can just input a list of the desired mailboxes to the
GrantSendOnBehalfTo parameter. For example:
Set-Mailbox –Identity 'Redmond, Tony' –GrantSendOnBehalfTo 'CEO Executive Assistant', 'Pelton, David', 'Akers, Kim'
Apart
from mailboxes, you can grant the ability to send messages on behalf of
distribution groups, dynamic distribution groups, and mail-enabled
contacts. EAC supports delegation on behalf of most recipient types (it
does not for resource mailboxes), but you can always achieve the
desired result with EMS. For example:
Set-DistributionGroup –Identity 'Legal Department' –GrantSendOnBehalfTo 'Pelton, David'
Naturally,
you can assign the Send As permission to an account with EMS, but it’s
a little more complex because you need to manipulate Windows
permissions rather than a simple Exchange property. The following code
assigns the permission for the Help Desk account to my account. Note
that it’s using the Windows account name (as shown in Active Directory
Users And Computers) rather than the Exchange display name or another
value. Again, this is because you’re manipulating Windows permissions
behind the scenes.
Add-AdPermission –Identity 'Help Desk' –ExtendedRights 'Send-As' –User 'Tony Redmond'
To revoke the permission, use a command like this:
Remove-ADPermission -Identity 'Help Desk' -User 'Tony Redmond' -InheritanceType 'All' -ExtendedRights 'Send-As' -ChildObjectTypes $Null -InheritedObjectType $Null -Properties $Null
