Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Access denied when you try to give user "send-as" or "receive as" permission for a Distribution Group in Exchange Server


View products that this article applies to.

Symptoms

Assume that you create a Distribution Group on one Microsoft Exchange Server. In this situation, you cannot grant users the send-as or receive-as permission to the Distribution Group by using the add-ADPermission cmdlet from other Exchange Servers. You receive a message such as the following:
 
Active Directory operation failed on <computer.domain.com>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : 5557AD82,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

In this example, <computer.domain.com> represents the fully qualified domain name of the computer.

↑ Back to the top


Cause

By default, Exchange Trusted Subsystem is not granted the "modify permissions" permission. This causes the Add-ADPermission cmdlet to fail with an Access Denied error in some circumstances. 
Specifically, this error will occur under either of the following circumstances:
  • If the admin user who makes the change has an associated mailbox, this error occurs if the Owner of the Active Directory group object being modified differs from the computer that hosts that mailbox.
  • If the admin user who makes the change does not have an associated mailbox, this error  occurs if the Owner of the Active Directory group object being modified differs from the computer that hosts the arbitration mailbox (the arbitration mailbox has a name that resembles SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c).

↑ Back to the top


Resolution

To work around this issue, add the "modify permissions" permission for the Exchange Trusted Subsystem to the organizational unit (OU) that contains the Distribution Group. To do this, follow these steps: 
  1. Open Active Directory Users and Computers.
  2. Select View > Advanced Features.
  3. Right-click the OU that contains the distribution lists, and then select Properties.
  4. Select Security > Advanced.
  5. Select Permissions > Add.
  6. In the Permissions Entry for <OU NAME> window, select Select a principal.
  7. In the Enter object name to select box, type Exchange Trusted Subsystem, and then select OK.
  8. In the Permissions Entry for <OU NAME> window, change the Applies to value to Descendant Group objects.
  9. To clear all permission selections that have been added by default, scroll to the bottom of the window and select Clear all.
  10. In the Permissions section of the window, select Modify permissions.
  11. To apply the permission and close all windows, select OK three times.

↑ Back to the top


Keywords: add-adpermission, receive as permission, send-as permission, distribution group, exchange server, kbsurveynew, kbexpertiseadvanced, kbexpertiseinter, kbtshoot, 5557ad82, kb

↑ Back to the top

Article Info
Article ID : 2983209
Revision : 12
Created on : 6/19/2019
Published on : 6/19/2019
Exists online : False
Views : 559