PowerShell: Setting Exchange Send-As Permissions without Using the Add-ADPermission cmdlet

The Send-As permission for objects in Exchange is set on the AD object (rather than the mailbox itself). Normally, the weapon of choice is the Add-ADPermission cmdlet but interestingly that cmdlet is only available if you have some serious Exchange permissions; Organization Management. What you’re doing though requires fairly low-level AD permissions; you’re just modifying some attributes on an object. So I did some investigation and came up with a function to set Send-As permissions without using Add-ADPermission.

Here’s the function with an explanation following

function Set-MigrationSendAs
{
    [CmdletBinding()]
    param
    (
        [Microsoft.Exchange.Data.Directory.Management.Mailbox]$MailboxToGivePermissionTo,
        [Microsoft.Exchange.Data.Directory.Management.Mailbox]$TargetMailbox,
        [switch]$Deny=$false
    )
    [string]$SendAsACLGuid="ab721a54-1e2f-11d0-9819-00aa0040529b"
    #Requires ActiveDirectory Module
    Write-Verbose "Setting Send-As Permission"
    Write-Verbose "Setting As Deny Permission : $Deny"
    If (!((Get-Module | Select-Object -ExpandProperty Name) -contains "ActiveDirectory"))
    {
        Write-Verbose "Importing Active Directory Module"
        Try
        {
            Import-Module ActiveDirectory
        }
        Catch
        {
            Write-Verbose "Unable to import Active Directory module.  Exiting" -IsError
            Exit
        }
    }
    $TargetACL=get-acl "AD:$($TargetMailbox.DistinguishedName)"
    $SendAsObjectGuid=New-Object Guid $SendAsACLGuid
    $IdentitySid = [System.Security.Principal.SecurityIdentifier] (($MailboxToGivePermissionTo | Get-User).Sid)
    $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
    if ($Deny)
    {
        $Type = [System.Security.AccessControl.AccessControlType] "Deny"
    }else
    {
        $Type = [System.Security.AccessControl.AccessControlType] "Allow"
    }
    $ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid
    $TargetACL.AddAccessRule($ACE)
    Set-ACL -AclObject $TargetACL -Path "AD:$($TargetMailbox.DistinguishedName)"
}

The parameters are fairly straight forward;  a mailbox that needs its permissions adding and the mailbox those permissions will be added to.

        [Microsoft.Exchange.Data.Directory.Management.Mailbox]$MailboxToGivePermissionTo,
       [Microsoft.Exchange.Data.Directory.Management.Mailbox]$TargetMailbox,

It also takes a parameter about whether the Send-As permissions should be “allow” (the default) or “deny”.

Next the script makes sure the ActiveDirectory module is imported as it needs some ACL manipulation commands that are in it.

    If (!((Get-Module | Select-Object -ExpandProperty Name) -contains "ActiveDirectory"))
    {
        Write-Verbose "Importing Active Directory Module"
        Try
        {
            Import-Module ActiveDirectory
        }
        Catch
        {
            Write-Verbose "Unable to import Active Directory module.  Exiting" -IsError
            Exit
        }
    }

This bit of code checks if the module is imported and if not, it imports it.  If the import fails for whatever reason the script will exit.

    $TargetACL=get-acl "AD:$($TargetMailbox.DistinguishedName)"
    $SendAsObjectGuid=New-Object Guid $SendAsACLGuid

The first command here gets the ACLs on the $TargetMailbox.

The second creates a new GUID object from the constant;

 [string]$SendAsACLGuid="ab721a54-1e2f-11d0-9819-00aa0040529b"

This controls the type of ACL object that is going to be created.  This GUID represents a Send-As ACE.

    $IdentitySid = [System.Security.Principal.SecurityIdentifier] (($MailboxToGivePermissionTo | Get-User).Sid)
    $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
    if ($Deny)
    {
        $Type = [System.Security.AccessControl.AccessControlType] "Deny"
    }else
    {
        $Type = [System.Security.AccessControl.AccessControlType] "Allow"     
    }

Here another set of needed variables are created.  The first is the SID of the AD Account of the mailbox ($IdentitySid) and objects representing the kind of ACE it is ($ADRights) and whether it is a deny or allow ($Type)

    $ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid
    $TargetACL.AddAccessRule($ACE)
    Set-ACL -AclObject $TargetACL -Path "AD:$($TargetMailbox.DistinguishedName)"

These last three commands are the meat of the change.

First, a new ACE is created with the variables created earlier.

This ACE is added to the ACL of the $TargetMailbox.

The ACL on the $TargetMailbox is replaced with the new, modified ACL.

Send-As permission is good to go.

An example of running the script would be if we wanted to give Ororo Monroe Send-As access to Peter Rasputin’s mailbox.  If the function above was saved in a file called “c:\temp\Set-SendAs.ps1” I’d enter the following commands into an Exchange Management Shell window;

. c:\temp\Set-SendAs.ps1
$SourceMailbox=Get-Mailbox ororo.monroe@contoso.com
$TargetMailbox=Get-Mailbox peter.rasputin@contoso.com
Set-MigrationSendAs -MailboxToGivePermissionTo $SourceMailbox -TargetMailbox $TargetMailbox

The first line imports the function into the current session (allowing me to use it).  Then I get the mailboxes I want to use and use them as parameters to the function.

3 thoughts on “PowerShell: Setting Exchange Send-As Permissions without Using the Add-ADPermission cmdlet”

  1. Any chance you could post an example with test users? I’m fairly new to PowerShell so I apologize ahead of time. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s