The Send-As permission for objects in Exchange is set on the AD object (rather than the mailbox itself). Normally, the weapon of choice is the Add-ADPermission cmdlet but interestingly that cmdlet is only available if you have some serious Exchange permissions; Organization Management. What you’re doing though requires fairly low-level AD permissions; you’re just modifying some attributes on an object. So I did some investigation and came up with a function to set Send-As permissions without using Add-ADPermission.
Here’s the function with an explanation following
function Set-MigrationSendAs
{
[CmdletBinding()]
param
(
[Microsoft.Exchange.Data.Directory.Management.Mailbox]$MailboxToGivePermissionTo,
[Microsoft.Exchange.Data.Directory.Management.Mailbox]$TargetMailbox,
[switch]$Deny=$false
)
[string]$SendAsACLGuid="ab721a54-1e2f-11d0-9819-00aa0040529b"
#Requires ActiveDirectory Module
Write-Verbose "Setting Send-As Permission"
Write-Verbose "Setting As Deny Permission : $Deny"
If (!((Get-Module | Select-Object -ExpandProperty Name) -contains "ActiveDirectory"))
{
Write-Verbose "Importing Active Directory Module"
Try
{
Import-Module ActiveDirectory
}
Catch
{
Write-Verbose "Unable to import Active Directory module. Exiting" -IsError
Exit
}
}
$TargetACL=get-acl "AD:$($TargetMailbox.DistinguishedName)"
$SendAsObjectGuid=New-Object Guid $SendAsACLGuid
$IdentitySid = [System.Security.Principal.SecurityIdentifier] (($MailboxToGivePermissionTo | Get-User).Sid)
$ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
if ($Deny)
{
$Type = [System.Security.AccessControl.AccessControlType] "Deny"
}else
{
$Type = [System.Security.AccessControl.AccessControlType] "Allow"
}
$ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid
$TargetACL.AddAccessRule($ACE)
Set-ACL -AclObject $TargetACL -Path "AD:$($TargetMailbox.DistinguishedName)"
}
The parameters are fairly straight forward; a mailbox that needs its permissions adding and the mailbox those permissions will be added to.
[Microsoft.Exchange.Data.Directory.Management.Mailbox]$MailboxToGivePermissionTo, [Microsoft.Exchange.Data.Directory.Management.Mailbox]$TargetMailbox,
It also takes a parameter about whether the Send-As permissions should be “allow” (the default) or “deny”.
Next the script makes sure the ActiveDirectory module is imported as it needs some ACL manipulation commands that are in it.
If (!((Get-Module | Select-Object -ExpandProperty Name) -contains "ActiveDirectory"))
{
Write-Verbose "Importing Active Directory Module"
Try
{
Import-Module ActiveDirectory
}
Catch
{
Write-Verbose "Unable to import Active Directory module. Exiting" -IsError
Exit
}
}
This bit of code checks if the module is imported and if not, it imports it. If the import fails for whatever reason the script will exit.
$TargetACL=get-acl "AD:$($TargetMailbox.DistinguishedName)" $SendAsObjectGuid=New-Object Guid $SendAsACLGuid
The first command here gets the ACLs on the $TargetMailbox.
The second creates a new GUID object from the constant;
[string]$SendAsACLGuid="ab721a54-1e2f-11d0-9819-00aa0040529b"
This controls the type of ACL object that is going to be created. This GUID represents a Send-As ACE.
$IdentitySid = [System.Security.Principal.SecurityIdentifier] (($MailboxToGivePermissionTo | Get-User).Sid)
$ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
if ($Deny)
{
$Type = [System.Security.AccessControl.AccessControlType] "Deny"
}else
{
$Type = [System.Security.AccessControl.AccessControlType] "Allow"
}
Here another set of needed variables are created. The first is the SID of the AD Account of the mailbox ($IdentitySid) and objects representing the kind of ACE it is ($ADRights) and whether it is a deny or allow ($Type)
$ACE = new-object System.DirectoryServices.ActiveDirectoryAccessRule $IdentitySid,$ADRights,$Type,$SendAsObjectGuid $TargetACL.AddAccessRule($ACE) Set-ACL -AclObject $TargetACL -Path "AD:$($TargetMailbox.DistinguishedName)"
These last three commands are the meat of the change.
First, a new ACE is created with the variables created earlier.
This ACE is added to the ACL of the $TargetMailbox.
The ACL on the $TargetMailbox is replaced with the new, modified ACL.
Send-As permission is good to go.
An example of running the script would be if we wanted to give Ororo Monroe Send-As access to Peter Rasputin’s mailbox. If the function above was saved in a file called “c:\temp\Set-SendAs.ps1” I’d enter the following commands into an Exchange Management Shell window;
. c:\temp\Set-SendAs.ps1 $SourceMailbox=Get-Mailbox ororo.monroe@contoso.com $TargetMailbox=Get-Mailbox peter.rasputin@contoso.com Set-MigrationSendAs -MailboxToGivePermissionTo $SourceMailbox -TargetMailbox $TargetMailbox
The first line imports the function into the current session (allowing me to use it). Then I get the mailboxes I want to use and use them as parameters to the function.
Herring's Fishbait 
Any chance you could post an example with test users? I’m fairly new to PowerShell so I apologize ahead of time. Thank you.
Hi. I’ve added an example above. Hope it helps!
Corrected the above code to remove references to Write-Log; I’ll write about that function later!