Exchange 2010: How to Grant Send As Permissions for a Distribution Group

In a recent article I demonstrated how to grant send on behalf permissions for a distribution group in Exchange 2010.

In this article I’ll show you how to grand send as permissions for distribution groups in Exchange 2010. If you’re not sure what the difference is between “send as” and “send on behalf” it is as simple as this:

  • “Send on behalf” is when the email message has a From address of “Person A on behalf of Person B”. This is fairly common with executives and their assistants who send things like meeting invitations on the exec’s behalf.
  • “Send as” is when the message has a From address of Person B with no indication that it was actually sent by Person A. In other words this is more like impersonation, whereas “send on behalf” is more like delegation.

So let’s take a look at this scenario. Here we have Alannah Shaw, a member of the Payroll department, sending an email to Alan Reid and attempting to send as “Payroll Team”, which is a distribution group.

The email is not delivered because Alannah does not have permissions to send as the Payroll Team group.

Fortunately configuring “send as” permissions is not difficult at all. There are two ways to grant the permissions.

  • Grant send as permissions to a mailbox user (eg, grant Alannah Shaw permission to send as “Payroll Team”)
  • Grand send as permissions to a universal security group (eg grant “Payroll Team Leaders” permission to send as “Payroll Team”)

You can grant the permissions by using Active Directory Users & Computers. Simply open the properties of the group, switch to the Security tab, add the mailbox user or group, and then tick the Send As box and apply the change.

After making this change you may notice that it does not take effect for up to 2 hours. This is due to caching on the Exchange servers. Though you can speed up the change by restarting the Information Store that is obviously not going to be practical in most production environments, so you’ll often find that you just need to wait.

Once the change has taken effect the user can send as the distribution group.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. This is great, but do you know of if adding universal security groups to shared mailboxes would work too?

    • Yes you can grant permissions to mailboxes using Universal security groups.

      • Arun Joshi says:

        I am stucked in one problem. Few users are able to send mail on behalf of any users in my infra. I have checked send as permission but there is no permission defined for those users. We are using exchange 2007. can you please help me.

      • Hi Arun, perhaps the permissions have been granted at a higher level (database, information store, server, org) instead of on each mailbox.

        I suggest opening ADSIEdit.msc, connect to the Configuration container, and look at the permissions on your Exchange objects and containers.

        • hi paul,
          1. we are having some issues with our exchange 2010 server, first we renewed the ssl certificate, now the autodiscover is not working. now all the mac users and iphones are not connecting to our mail server.
          2. now i tried to configure imap to the mac users, but in some way it can only send on a certain amount of time. i saw some solutions on send as permission. using ADSIedit.msc, but it will only stay for a couple of minutes, what is the best way to make the send as permission permanent for those users, can you guide us on the steps.

          thanks

  2. I do not appear to have the security tab on any of my Distribution groups? (Either Security or Distribution groups) Any ideas why?
    I can use the other article how to Send on behalf of sing the powershell, without issue, but nowhere canI find this tab.
    Help?

  3. Manish Singh says:

    Hi Paul, thanks for the above details..wanted some information, can we give access to users on the mailbox via security group..we have tested that but its not happeneing..now is it mandatory for the SG to be universal or Global also will do..we are testing that on the Global SG..

    thanks for your help

  4. Manish Singh says:

    Also wanted to verify, is it mandatory for the SG to be mail enabled for the accesses to propagate?

    our current scenario is that we have given access via a SG to people but they are unable to use Send As permissions which is supposed to replicate via the SG..need your suggestion on this..

    Thanks

  5. abdulsalam lukman says:

    Hi paul.
    I configured the distribution group for a user and gave the user SEND AS permission but when i log on to the user outlook and open new email to send using the distribution group created there is no FROM from the option..i only have To and CC option.

    thanks

  6. abdulsalam lukman says:

    thanks man

  7. been scratching my head on this

    Need to give a user the ability to send of behalf of rights to a bulk of users that are a member of a universal security group.

    Basically it needs to look like it came from: Heather Jones on behalf of John Smith.

    John Smith is a member of security Group all – company doctors.

    Any help is appreciated.

  8. Hi Paul,

    I’m facing with this problem below;

    My user is @domain1.com and I want to send e-mail to Universal Distribution Group in another domain, but I can’t. May I need to created another send connectors?

    Thanks in advance,

    Renato from Brazil

  9. Hi, I have added my account to security permissions of a Distribution Group and grated “Send As” permissions. But still I am unable to send emails as the Distribution Group. The NDR says access denied. Any idea what could be wrong. I waited for more than a day after granting the permissions.

    I believe the perms are not syncing to Exchange. Is there anyway to verify this?

    Thanks,
    Sitaram

  10. great article. For me everything works fine with the groups. one question though.

    how can i set the default address of the users to be the Distribution Group?

    ie. i have 10 users under sales@dimain.com everybody receives the emails To sales@domain.com and can send from it BUT they always have to select the FROM field.

    how can i change the FROM to always appear as the sales@domain.com?
    and if they want to change it to their personal?

    Thnx!

  11. Set up send as permission in dist group just as in the article, logged in as user was able to send one email then after that email delivered I loss permission, if I delete it from Outlook and then add it back I can send one email then I loss permission again???? Also there are many users in the dist group and they are not affected accounts have ben compared and permissions matched. Any thoughts anyone. Thanks in advance

  12. Hi Paul,

    There is already a send as permission of the following users but there is a problem when receiving mail to a group and a specific user at the same time. The specific user is also a member of a group, however, they need it to send on its mailbox as a reminder or to give attention. He/She can received email on the group email folder but no email from his/her inbox. How can we resolve this?

  13. captain_exchange says:

    hi Mr king exchange ;)

    its works for me but when i enable the cache on Outlook its fail.. mmm do u have any ideas plz ? i m struck
    i redld the OAB on the client no joys..

  14. We have on group name ( Sales Managers ) and we give (Send as) permission to this group member ( Accounts Managers) to send Emails using (Sales Managers ) Address ,,, Now we need to trace who sent the Emails ???

    • Abdulaziz says:

      ++++++++
      We have on group name ( Sales Managers ) and we give (Send as) permission to this group member ( Accounts Managers) to send Emails using (Sales Managers ) Address ,,, Now we need to trace who sent the Emails ???
      ++++++++

      (( Dear TEAM )

      How I can trace the message which is sent via ( Send AS ) FROM ( Distribution List ) ????

      Regards

  15. Hi Paul,

    I’ve executed the above exactly as mentioned and waited over the mentioned time period. However, I still do not have the ‘required permissions’ when selecting the desired distro group in From in Outlook. Do you’ve any idea why I’m still getting this? I simply wish to have 4 people send as a distro group (admin sec group granted send as permissions).

    • I’m running into the same issue. I’ve followed these steps, and still when I try to send email as the DG, I get the undeliverable message. I’ve contacted Office365 support, and they are stumped too.

      Delivery has failed to these recipients or groups:

      You can’t send a message on behalf of this user unless you have permission to do so. Please make sure you’re sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk.

      • The tutorial was written for on-premise. Frankly I have no idea if it will work the same in Office 365. However, you should check whether you’ve granted both Send As and Send on Behalf, because that doesn’t work. You can only grant one or the other. If both are granted then problems like this can occur.

  16. Hi Paul, This should be easy but it is not working for me. I can ‘send as’ the distribution group from OWA but not Outlook. I deleted the OAB files and restarted Outlook but still get an NDR. Any other suggestions? Thanks, Kevin

  17. Abdulaziz says:

    (( Dear TEAM )

    How I can trace the message which is sent via ( Send AS ) FROM ( Distribution List ) ????

    Regards

  18. Hi Paul, excellent article. If you have a moment, can you shed some light on why I cannot send from the group when it is hidden and if I can work around that? I had it working but, as soon as I hid the group from Exchange Address Lists it broke. Thanks so much

  19. Hi Paul,

    i have been testing this as well and there’s something strange going on.
    USG, mail enabled, user J.Wesselius has Send-As permissions on USG, this is Exchange 2010 SP2.
    OWA works fine when sending as USG
    Outlook 2010 in online mode works fine when sending as USG;
    Outlook 2010 in cached mode does not work when sending as USG and a permissions error is sent back to the user saying “You can’t send a message on behalf of this user unless you have permission to do so”.

    I’m not sure whether this is an Outlook or an Exchange issue, but it’s not working ;-)

    Cheers
    Jaap

  20. Hi Paul, I have two forest because we are in adquisition transition. Forest A, and B.
    i need to gran permission into a Distribution Group in Forest A to one user just migrated to Forest B.
    The idea is to do by power shell because i can´t see how to grant this permission in ADUC from Forest A.

    Could you help me with that? please, thank you in advance.

    Juan

  21. nelson9821 says:

    I have a question,

    lets take an example,

    I have DL named XADM10, and it has 10 members.
    Now i give all ten members permission to send as XADM10@microsoft.com
    now here is the thing
    One member has used this send as xadm10@synowledge.com and sent a mail to all employee with an abusive content
    now as an admin how do i find who he/she is?

    Environment info:
    WE got e2k7SP3 Ru9 and there is no discovery search
    Audit log on DL will not give out put on send as (i mean as who sent it)
    Message header will give info about only the server and server ip not the workstation from which it is sent.

    Please guide me..

    Thanks
    Nelson

  22. Hi Paul,

    Wonder will there be any difference on a mac outlook?

    • Hi gopi,
      Mac Outlook only lets you pick the “from” address from a list of accounts which your Outlook has been set up to send from. You can’t type into the “from” address field directly.
      To get Outlook(2011) to add the new address into that list – go to Tools -> Accounts… -> (Account) -> Delegates
      Under there, add the address into “Accounts I can send on behalf of” and it should work…

      Mike

  23. Redouane Sarra says:

    Hello,

    As a domain admin, i added a couple of Domain Admins Accounts to the Security tab of my account and set the “Send as” to deny to prevent them from sending emails as me in our Organization. But the problem is just after few minutes later the accounts disappeared from the Security tab of my account, so they could send emails as me !!

    Please help!

    Regards.

  24. Hi All
    after doing paul’s steps it doesnt work and we keep get NDR
    in order it to work go to security tab at group (check group at AD)
    under “Permissions for SELF” make sure to uncheck all other permissions !!!

  25. Just want to say thanks for each and every post. Every-time I have to troubleshoot Exchange issues, i find solution or at-least hint for the fix.
    Keep up the good work.

  26. Hello.

    Just wanted to add a follow up to this topic since I had trouble with it.

    I did all the steps above for a Mail Enabled USG exchange 2010. Added 6 users to a DG and all would get NDR permission issues even after giving them all “send as” in the security tab of the DG.

    Like the other user above the following was true:
    - send as DG from owa = worked
    - send as DG from outlook 2010 (non-cached mode) = worked
    - send as DG from outlook 2010 (cached mode) = FAILED

    I rebuilt the OAB, and then had all 6 users delete their OAB files. Had them reboot and redownload the OAB and clear out their nk2 file and everything works now.

    Hope this helps.

  27. This would not work unless I ONLY left “Send AS” checked for the user. If any other “Allow” right was checked the user could not send an email using the distribution lists email as the from address.

  28. Hi Paul,

    Glad I found your post which answered some of my questions. However, I have one question in particular. The scenario is as follows:

    Lets say I work for a company and have @company.com as my email address. While configuring Outlook 2010, it just asks me for the Exchange Server name and my name, and it is ready to send emails. What I do not understand is that I haven’t found a way to do the same using a customized script / program. Basically, I want to send emails to other colleagues in the company every day at a set time. I have made a small .NET program, but I have to manually enter (in the code) my username and password. While this is okay for now, I guess if I change my system password, the application will fail to send emails. Am i correct ? Also, is there a way to let the exchange server authenticate and send email and use my windows credentials without me having to explicitly add that in ?

    Any help / guidance you can provide will be greatly appreciated.

    Thanks,

    SyKa

  29. Hi Paul, we are running exchange server 2010 with Office 2010 32bit. on windows 7. One of our users just switched workstations, currently he is set up with send as permissions for one of our distribution groups, but for some reason on his new workstation it gives him a “You can’t send a message on behalf of this user unless you have permission to do so. ” bounce-back. what could cause him not to be able to send from one workstation verses another?

    Thanks,

    Ed

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.