Understanding Send As Behavior in Exchange 2007
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1
Topic Last Modified: 2009-01-05
This topic explains how the Send As permission works in Microsoft Exchange Server 2007.
The Send As permission lets a user (UserA) send a message as the mailbox owner (UserB). In this scenario, even though UserA sent the message, the message appears to come from UserB and is sent from UserB's mailbox. This behavior differs from the behavior that occurs when a user (UserC) has the typical delegate access permission. In that scenario, UserC is assigned the Send on Behalf Of permission for a mailbox owner. When UserC sends a message for the mailbox owner, the following information appears in the From field of the message:
<DelegateName> on behalf of <MailboxOwnerName>
In earlier versions of Exchange, granting a user the Full Mailbox Access permission also granted that user permission to send messages as the mailbox owner. This meant that a user who had the Full Mailbox Access permission could send e-mail messages that appeared to be sent by the mailbox owner.
In Exchange 2007, users who are granted the Full Mailbox Access permission to a mailbox do not have Send As permission. Instead, the users have Send on Behalf Of permission for the mailbox owner. In this scenario, the users must be explicitly granted the Send As permission to send e-mail messages as the mailbox owner. The following list describes three exceptions to this rule:
The mailbox owner
The mailbox owner does not require the Send As permission for his or her own mailbox.
The associated external account
The associated external account for a mailbox does not require the Send As permission to send messages as the mailbox owner.
A delegate account that has Full Mailbox Access permission
If a delegate account also has Full Mailbox Access permission to a mailbox, the delegate user can send as the mailbox owner without having the Send As permission specified. By default, delegate accounts do not have Full Mailbox Access permission to the mailbox.
To send mail as the mailbox owner, other users who have been granted partial or full access to a mailbox must be explicitly granted the Send As permission for the mailbox owner account. This includes application service accounts that perform functions such as sending e-mail messages for mobile device users.
|If the mailbox owner, the associated external account, or the delegate account, have Full Mailbox Access permission, they can send messages as the mailbox owner without requiring explicit Send As permission. By default, a mailbox owner and the associated external account both have Full Mailbox Access permission. However, delegate accounts do not.|
The Send As permission must be granted to the service account for each user object that owns a mailbox. You cannot grant the Send As permission on an Exchange server or on a database object to achieve the effect of granting the Send As permission for all the mailboxes that are hosted on the server or in the database.
This behavior occurs because the Send As permission is an Active Directory directory service permission that only applies to the Active Directory objects for which it is set. Granting the Send As permission on an Exchange database object gives Send As permission to the database itself. However, this action does not give Send As permission for the users who have mailboxes in the database.
|Granting the Receive As permission on an Exchange database is the functional equivalent of granting the Full Mailbox Access permission to all the mailboxes that are in the database. This differs from granting the Send As permission. The Send As permission applies only to the database object itself. It does not apply to the mailboxes in the database. The Receive As permission is inherited by all the mailboxes that are in the database.|
To better understand the difference between the Receive As permission and the Send As permission, it may be helpful to think of all the mailboxes in a database as subfolders in a single mailbox folder (the "database" folder). If you have full access to the database, you receive inherited permissions to access all the contents in the database. This includes all the mailboxes.
However, the Send As permission applies to the identity of an Active Directory user object and not to mailbox content in a database. When e-mail messages are sent, they are not sent from a particular mailbox or database. Instead, they are sent from a particular user. The user may be the mailbox owner or may be assigned any other account that has the Send As permission.
Exchange mailbox and folder access permissions are split between Active Directory permissions and Exchange database permissions. The different permission types are stored in two separate locations.
The External Account permission is a way to set the Active Directory msExchMasterAccountSID attribute. The msExchMasterAccountSID attribute is not a permission. Instead, it controls how other permissions work.
|The Active Directory msExchMailboxSecurityDescriptor attribute is a backup copy of a subset of the effective mailbox rights. It is used internally by Exchange for a variety of purposes. Additionally, the msExchMailboxSecurityDescriptor attribute is updated to match current effective rights if administrators use supported interfaces to assign rights.|
The Full Mailbox Access permission is an Exchange database store permission. The Send As permission is an Active Directory permission. In earlier versions of Exchange, before the Exchange Store.exe file changes were made, Exchange did not examine the setting for the Send As permission if the sender already had the Full Mailbox Access permission.
|You can grant the Send As permission without granting the Full Mailbox Access permission.|
Inclusion of the Send As permission with the Full Mailbox Access permission gave Exchange administrators effective Send As permissions for any mailbox on a server. This is because Exchange administrators effectively have full control over an Exchange database. By separating the Send As permission from the Full Mailbox Access permission, Active Directory administrators can prevent Exchange administrators from having Send As permission for accounts. This is because the Send As permission is an Active Directory permission and not an Exchange store permission.
For more information about how to grant the Send As permission for a mailbox in Exchange 2007, see How to Grant the Send As Permission for a Mailbox.
For more information about how to allow access to a mailbox in Exchange 2007, see How to Allow Mailbox Access.
For more information about mailbox permissions, see Understanding Mailbox Permissions.