Users Cannot Send Messages as a Public Folder After You Grant "Send As" Permissions

After you grant Send As permissions to a user in a child domain to send an e-mail message as a public folder that is located in a parent domain, the user cannot send e-mail messages as the public folder.

Additionally, when you configure security auditing, the following events may be logged in the Security log in Event Viewer:

Date: date
Source: Security
Time: Time
Category: Directory Service Access
Type: Failure Audit
Event ID: 565
User: domain\username
Computer: Server Name
Description: Object Open: Object Server: DS Object Type: publicFolder Object Name: CN=Folder1,CN=Microsoft Exchange System Objects,DC=domain2,DC=com New Handle ID: 0 Operation ID: {0,3774740} Process ID: 264 Primary User Name: ServerName$ Primary Domain: domain Primary Logon ID: (0x0,0x3E7) Client User Name: username$ Client Domain: domain Client Logon ID: (0x0,0x390E2F) Accesses Read Property Privileges -

This problem may occur if all the following conditions are true:

• You granted the Send As permission to the user in the properties of the public folder.
• The user has a mailbox in a domain that is different from the public folder's domain.
• The user's Exchange server is located in a site that does not contain any domain controllers for the domain that hosts the public folder.

To work around this problem, use one of the following methods:

• Add the Exchange Domain Servers security group of the child domain with Read permissions to the Access Control List (ACL) of the Microsoft Exchange System Objects container in the parent domain. This method is the preferred method to work around this problem.
• Add the Authenticated Users security group with Read permissions to the Microsoft Exchange System Objects container and to all the child objects in that container.
• Add a Read Access Control Entry (ACE) to the Public Folder object in the Microsoft Exchange System Objects container.
• Move one domain controller from the parent domain to the user's Exchange 2000 server site.

To view the security permissions for the Microsoft Exchange System Objects container, use the ADSI Edit snap-in that is included with the Microsoft Windows 2000 Support Tools. To do so, follow these steps.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
ADSI Edit is located on the Microsoft Windows 2000 Server or Microsoft Windows 2000 Advanced Server CD in the Support\Tools folder. To install this tool, run the Setup.exe program in this folder. For more information about the ADSI Edit snap-in, see the Support\Tools\Support.cab\W2rksupp.chm file in the Support\Tools folder.

1. After you install ADSI Edit, click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
2. Expand the Domain NC [server.domain.com] container, where server.domain.com is the fully qualified domain name (FQDN) of your server.
3. Expand DC=domain, DC=com.
4. Right-click CN=Microsoft Exchange System Objects, and then click Properties.
5. Click the Security tab to view the security permissions.

Because of the nature of the Exchange Domain Servers domain global security group and the Exchange Enterprise Servers domain local security group, access to certain Active Directory directory service attributes that are used in the delegation of public folders is not possible. Therefore, Exchange servers in a child domain cannot verify that the user has been granted "Send As" permissions for a public folder that is located in the parent domain.

The default permissions for the objects in the following object are Exchange-specific permissions and pre-Windows 2000 compatibility settings: These permissions do not work in this case because the object is being accessed from a different domain, and the Exchange Enterprise Servers security group cannot be expanded from that domain. Pre-Windows 2000 compatibility settings affect user access, but not publicFolder objects because they only apply to Group and User object classes. If you add the specific read ACE on the Microsoft Exchange System Object object and its child objects, delegation works.

To grant a user the Send As permissions for a public folder, follow these steps:

1. Start Exchange System Manager, and then locate the public folder.
2. Right-click the public folder, and then click Properties.
3. Click the Permissions tab, and then click Directory rights.
4. Add the user who you want to grant Send As permissions to, and then click the user in the Name list.
5. In the Allow column of the Permissions list, click to select the Send As check box.
6. Click Apply, and then click OK.
7. Right-click the public folder that you created, and then click Properties.
8. Under Exchange Advanced, click to clear the hide from Exchange address lists check box.
9. Type a name for the alias in the simple display name box.
10. Click OK.