In some Exchange 2010 environments it is desirable to allow users to send email on behalf of a distribution group. However unlike for mailboxes, the Exchange Management Console doesn’t provide an option to grant this permission.
Note: this tutorial is for “send on behalf” permissions. If you’re looking for “send as” permissions go here instead.
To enable send on behalf permissions for a distribution group you need to use the Exchange Management Shell. Launch the shell and use the Set-DistributionGroup command to set the permissions, for example:
Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo alan.reid
Alan Reid can now use the From field in an Outlook message to send on behalf of the Sales Team group.
Sending on Behalf of a Distribution Group
This is what the message will look like for the recipient.
A message sent on behalf of a distribution group
If they reply to the message it will go to the Sales Team distribution group, not the individual sender.
Replies go to the distribution group, not the individual sender
Alternatively you can grant the send on behalf permission to all members of the group, which can save on administrative effort over time if all group members should be allowed to send of behalf of the group they are in.
Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo "Sales Team"
Adding Additional Users or Groups to Send on Behalf Permissions
It is important to realise though that this setting is easy to overwrite if you try to add another user or group when there is already one that has been granted send on behalf permissions.
To demonstrate, here is the distribution group with the Sales Team granted send of behalf permissions.
[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*
Name : Sales Team
GrantSendOnBehalfTo : {exchangeserverpro.net/Company/Groups/Sales Team}
Now if I use the same command as shown earlier to grant another group send on behalf permissions, it overwrites the existing setting instead of appending it.
[PS] C:\>Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo "Branch Office Team"
[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*
Name : Sales Team
GrantSendOnBehalfTo : {exchangeserverpro.net/Company/Groups/Branch Office Team}
Instead we need to use a different method to add additional users or groups to the send on behalf permissions.
First, read the existing settings into a variable.
[PS] C:\>$a = Get-DistributionGroup "Sales Team"
Next, read the new group into a second variable.
[PS] C:\>$b = Get-DistributionGroup "Branch Office Team"
If you were adding an individual user you would just use Get-User instead of Get-DistributionGroup.
Then, append the distinguished name of the second group into the GrantSendOnBehalfTo value from the first group.
[PS] C:\>$a.GrantSendOnBehalfTo += $b.DistinguishedName
Finally, set the new value on the first group.
[PS] C:\>Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo $a.GrantSendOnBehalfTo
You can see now that both the Sales Team and Branch Office Team now have send on behalf permissions to the Sales Team distribution group.
[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*
Name : Sales Team
GrantSendOnBehalfTo : {exchangeserverpro.net/Company/Groups/Sales Team,
exchangeserverpro.net/Company/Groups/Branch Office Team}
Removing Users or Groups from Send on Behalf Permissions
To remove one of the users or groups from having send on behalf permissions we use a similar process as we used to add them.
First, read the current setting into a variable.
[PS] C:\>$a = Get-DistributionGroup "Sales Team"
You can now see the distinguished names of the users or groups that currently have permissions.
[PS] C:\>$a.GrantSendOnBehalfTo | fl distinguishedname DistinguishedName : CN=Sales Team,OU=Groups,OU=Company,DC=exchangeserverpro,DC=net DistinguishedName : CN=Branch Office Team,OU=Groups,OU=Company,DC=exchangeserverpro,DC=net
Remove the one that you don’t want any more.
[PS] C:\>$a.GrantSendOnBehalfTo -= "CN=Branch Office Team,OU=Groups,OU=Company,DC=exchangeserverpro,DC=net"
Now apply the new setting to the distribution group.
[PS] C:\>Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo $a.GrantSendOnBehalfTo
You can see that the Branch Office Team has been removed from the send on behalf permissions.
[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*
Name : Sales Team
GrantSendOnBehalfTo : {exchangeserverpro.net/Company/Groups/Sales Team}
Finally, if you want to remove all send on behalf permissions from a group you can run this command.
[PS] C:\>Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo $null
[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*
Name : Sales Team
GrantSendOnBehalfTo : {}
About Paul Cunningham
Also could you tell us, how to remove this send on behalf of permission..
Hi, I’ve updated the article with a few extra tips including how to remove the send on behalf permissions.
Hi Paul,
I get the following error when i try to set the sendonbehalfto right to a Distribution Group.
You don’t have sufficient permissions. This operation can only be performed by a manager of the group.
+ CategoryInfo : NotSpecified: (:) [Set-DistributionGroup], OperationRequiresGroupManagerException
+ FullyQualifiedErrorId : 9876B053,Microsoft.Exchange.Management.RecipientTasks.SetDistributionGroup
Hope you can help me!
Thanks.
Kind regards,
Susan Verwer
What privileges are you running it under?
Local Admin/Domain Admin.
Has that account been delegated any Exchange administrative rights?
We’ve just migrated from 2003 to 2010, so maybe that’s the problem, that i don’t have enough rights!
Problem is that i don’t know where to look
Do i have to assign myself these permissons through the Exchange Management Console (EMC), Toolbox?
You can do it via either the console or shell. You can also do it by simply adding accounts to the pre-configured security groups in AD for various Exchange roles (eg org admins, recipients admins…).
Are mailbox size limits enforced for ‘send on behalf’?
Good question, and I don’t know the answer so I’ll try and find out.
When i put the following line -BypassSecurityGroupManagerCheck after Set-DistributionGroup “Sales Team” -GrantSendOnBehalfTo “Sales Team” i did not get the error message!
So i thought that the problem is solved, but now in Outlook the employes get the following warning:
you’re not authorized to send on behalf of.
I don’t get it!
What else can it be?
Hi Susan, is your Sales Team group a Universal group?
I’ve missed a command at the end of the line
-BypassSecurityGroupManagerCheck
Now they are able to send on behalf of…
Problem solved!
Thanks for that, I’ve been struggling with that for a few days and didn’t realize that the first line (Set-DistributionGroup “group” -GrantSendOnBehalfTo “user”) overwrote the whole thing!!
Hi, i have tried the above and there where no errors during the commands, but i still get the error that the users are not able to send on behalf. my distribution group is a universal security group, and the users have all been added to it as member. in the management console i have set each users send as permissions for the group and did the above shell commands. do i need to restart exchange or something after the commands?
Seems that you’re saying you’ve done both the “Send on Behalf” per this article, and the “Send As” as well. That won’t work. Do one or the other, but not both.
hi,
i am facing one issue related to onbehalf .User have all the permition to sent mail onbehalf of mails and mails are sending properly but there is one big issue . if mail sending onbelhalf on single id so it is delivered but same mails are sending lot of id apporx 500 email ids than it is not delivered .
if you have any solution so pls let me know ..
my contact number 8878096096
email id – ashish.shivhare5@vodafone.com
Hi Paul,
I’m a big fan of your blog. Great job.
How did you get
$a.GrantSendOnBehalfTo -= “CN=Branch Office Team,OU=Groups,OU=Company,DC=exchangeserverpro,DC=net” to work?
I followed the same procedure to remove a user from GrantSendOnBehalfTo property but I kept getting this error:
Method invocation failed because [System.Collections.ArrayList] doesn’t contain a method named ‘op_Subtraction
This is my script
$Owner = Read-Host “Type in valid email address or alias of the owner’s mailbox”
$User = Read-Host “Type in valid email address or alias of the user whose SEND-ON-BEHALF rights you want to remove”
$OwnerMailbox = Get-Mailbox $Owner
$UserMailbox = Get-Mailbox $User
$OwnerMailbox.GrantSendOnBehalfTo -= $UserMailbox.DistinguishedName
Set-Mailbox $Owner -GrantSendOnBehalfTo $OwnerMailbox.GrantSendOnBehalfTo
Any help is appreciated
Thanks
Might need to do a little script debugging to find out what the script sees $OwnerMailbox.GrantSendOnBehalfTo as.
Add a line
($OwnerMailbox.GrantSendOnBehalfTo).GetType()
It should return as an ADMultieValuedProperty.
Thanks for the reply, Paul.
I eventually got around it by changing my code to below:
$Owner = Read-Host “Type in valid email address or alias of the owner’s mailbox”
$User = Read-Host “Type in valid email address or alias of the user whose SEND-ON-BEHALF rights you want to remove”
$OwnerMailbox = Get-Mailbox $Owner
$UserMailbox = Get-Mailbox $User
$OwnerMailbox.GrantSendOnBehalfTo.Remove($UserMailbox.Identity)
Set-Mailbox $Owner -GrantSendOnBehalfTo $OwnerMailbox.GrantSendOnBehalfTo
Thanks a lot for the detailed info.
Is it me or wasn’t powershell suppose to be a “easy” method of administrating Exchange. Seems like a awful lot of convoluted work to achieve something rather simple like and removing and adding users/groups from what should be a simple list.
“Easy” is a bit subjective, but sure, I think its easy. Definitely a lot easier than editing ACLs via ADUC or ADSIEdit.
This article goes into some detail for the sake of demonstration and clarity. In the real world most people would just grant the permissions once, to a group, and then use that group’s membership to control who can and can’t send on behalf.
That way you only do the PowerShell part once.
Can we remove the “Sent on behalf of” user name in the Outlook From address when doing this with a distribution group as we can with granting the right to a mailbox?
Hi Paul,
Thanks a lot for detailed article on this. It helped me a lot.
Thanks very much Paul, great article. The information on removing the permissions was especially useful.
Hello,
I am getting an error when trying to add a Group to the Distribution list.
I get the same error using the CN= etc. and just “Assessment”
Assessment is a Universal Group, it is also the distribution group. ([PS] C:\Windows\system32>Enable-DistributionGroup -Identity “Domain.local/Domain Groups/Assessment”)
–Command–
[PS] C:\Windows\system32>Set-DistributionGroup “Assessment” -GrantSendOnBehalfTo
“Domain.LOCAL/Domain Groups/Assessment”
–Error–
Object “Domain.LOCAL/Domain Groups/Assessment” could not be found. Please make sure that it was spelled correctly or specify a different object. Reason: Domain.LOCAL/Domain Groups/Assessment is not a mailbox user or mail-enabled user.
At line:1 char:1
+ <<<< Set-DistributionGroup "Assessment" -GrantSendOnBehalfTo 'Domain.LOC
AL/Domain Groups/Assessment'
+ CategoryInfo : NotSpecified: (:) [], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : A411CAA1
How long did you wait between mail-enabling the group and trying to configure the send on behalf permissions?
“Reason: Domain.LOCAL/Domain Groups/Assessment is not a mailbox user or mail-enabled user.”
Not very long…come on now…wait, are you kidding! INSTANT GRATIFICATION…gezz, what kind of IT guy are you!!??!
Thanks Paul, I will try it again.
Same Error.
Also note that Assessment is a Security Group.
Can you try testing it with a different group that is in a different OU, say just in the default Users container in your AD.
Paul, what happen if I give a user send on behalf AND send as permission to a distribution group? I mean can he select send as or send on behalf as he wish when using his Outlook 2010? My test show always send as.
Thanks.
David
No, you can’t grant both and have the user select which one they want to use at the time. Those two rights don’t co-exist very well at all actually. Grant one or the other, but not both.
Hi, can you tell me how to remove the sendas and change to grantsendonbehalfto cleanly? We’re finding some grantsendonbehalfto permissions granted during our migrations and we were giving sendas. I want to change them now to grantsendonbehalfto instead. Also, if you use the group and add a new member to the group, will they inherit these permissions automatically?
Hi,
This is my situation : I have to add a mail enabled security group under the usersmailbox “send on behalf”
Please help me.
I tried running
set-mailbox usermailbox@domain.com -grant sendonbehalfto securitygroup@domain.com
It failed stating unable to find the obect – which is true because its not a user mailbox.
is there any way I could add the security group now to a send on behalf of a user mailbox.
Please do the needful..
Hi Paul,
I’ve followed the steps and it works, but the sent email does not show “Loc Banh on Behalf of ”
It just shows the .
Is there something I did wrong or is there something else that needs to be done?
Thanks,
Loc Banh.
It sounds like you’ve got both send as and send on behalf permissions granted. They don’t co-exist nicely, you’ll need to remove the one you don’t want so that you get the result that you do want.
good job, thanks
Hi,
I have done this for individual mailboxes, Using Set-Mailbox instead, but I cant seem to do it for Multiple Users, Is there a way to do it for More than one user, without using a distribution group?
Granting multiple/additional users the permissions is demonstrated in the article.
Hi Paul
Thanks for this great resource of knowledge! I see that you are talking about a Distribution Group in your examples. But is this also possible with a ‘Global Security Group’ or a ‘Universal Security Group’?
Thank you very much for your feedback
A “Distribution Group” in Exchange terminology means a mail-enabled group.
In Active Directory a “Distribution Group” is not necessarily mail-enabled.
So for the context of this article, assume “Distribution Group” means mail-enabled group in Exchange. That means it must be a Universal group.
If you want to grant a *group* the permissions to send on behalf of a mailbox or distribution group, it must be a Universal Security Group to begin with, whether it is mail-enabled or not. The steps for granting a group the permissions to send on behalf of another group are demonstrated in the article.