Article ID: 17773
Date: 28 June 2006

Title: Users are still paused after applying the GoodAdmin service account "Send As" right for the Microsoft(MS) Exchange 2003 Message Store Hot-fix

Symptom: Some or all users are still paused after applying the GoodAdmin service account "Send As" right mentioned in 17540 Users Paused After Applying Microsoft(MS) Exchange 2003 Message Store Hot-fix

o Example error from Application Event Logs: Failed to submit mail message for user johndoe. (HRESULT:-2147024891) Pausing user johndoe. (Security error - Cannot access the users mailbox.)
o Also the "Send As" permission might be getting revoked after being adding to Good enabled users that belong to a protected group (eg: Domain Admins).

Cause 1: Exchange replication has not taken place, or the user's Good pause-timer has not expired.

Remedy 1: Wait for Exchange replication. Please note that it may take up to 90 minutes for the Exchange Information Store to update its permissions cache and for the GoodLink server to un-pause and reconnect to the user's mailbox. Exchange replication alone can take approximate 70 minutes; therefore, to un-pause users immediately you may restart the GoodLink Server service after 70 minutes.
If replication has taken place ensure that all instructions were followed in 17540 Users Paused After Applying Microsoft(MS) Exchange 2003 Message Store Hot-fix.

Cause 2: Applying the "Send As" permission at the domain level will NOT work for users or groups of users that belong to the following protected groups. Please see the following Microsoft article to learn more about the AdminSDHolder object and how it blocks inheritance of rights such as "Send As": http://support.microsoft.com/kb/907434/

The following list contains the protected groups in Windows 2000:

o Enterprise Admins
o Schema Admins
o Domain Admins
o Administrators

The following list contains the protected groups in Microsoft Windows Server 2003 and in Windows 2000 after you apply hotfix 327825 or after you install Windows 2000 Service Pack 4 (SP4):

o Administrators
o Account Operators
o Server Operators
o Print Operators
o Backup Operators
o Domain Admins
o Schema Admins
o Enterprise Admins
o Cert Publishers

Additionally, the following users are considered protected:

o Administrator
o Krbtgt

Remedy 2: If a Good enabled user belongs to any of these protected groups, or belongs to a group that is a member of any of these protected groups, then they should be removed from that group and the "Send As" permission for the GoodAdmin Service Account must then be set on the user object. It is recommended that a new Active Directory account be created belonging to the protected group for administrative purposes only, and not email purposes, as recommended by Microsoft's new "best practices". Please see: http://support.microsoft.com/kb/907434/

Removing the protected group from the GoodLink user:

1) Launch ADUC. (Start > Administrative Tools > Active Directory Users and Computers)

2) Enable the advanced features view so that you will be able to see the security tab. (Select menu - View > Advanced Features)

3) Highlight your user, right click on it and select "properties".

4) Click the "Member of" tab.

5) Remove all groups except for the “Domain Users” group for the user.
Note: You may retain memberships to any non-protected group that is not a member of a protected group.
Example: Upon inspecting "A Custom Security Group" we find that it is a member of two protected groups that prevent the "Send As" right, therefore the user must be removed from the group.

6) Click the "Security" tab and then the “Advanced” button.

8) Check “Allow inheritable permissions from the parent to propagate to this object and all child objects” and click "Apply".
Look for the GoodAdmin Service Account and verify that the "Send As" permission is "Allowed" on the user object. (green outline below)

-------------------------------------------------------------------------------------------------------------------------------

If permissions haven't propagated after 15 minutes then you may apply the "Send As" right on the user object itself, but this shouldn't have to be done if propagation is working as designed:

1) Launch ADUC. (Start > Administrative Tools > Active Directory Users and Computers)

2) Enable the advanced features view so that you will be able to see the security tab. (Select menu - View > Advanced Features)

3) Highlight your user, right click on it and select "Properties".

4) Click the "Security" tab and then click "Add".

5) Enter the name of your GoodAdmin Service Account, click "Check Names" to resolve and click OK.

6) Now in the Security tab highlight the GoodAdmin Service Account and click the "Advanced" button.

7) Click "Add".

8) Highlight or type the name of your GoodAdmin Service Account and click OK.

9) Now a new "Permissions Entry" window will pop up. Select "User Objects" in the "Apply onto" drop down box. (It's down toward the bottom of the list). When "User Objects" has been selected click "Allow" for the "Send As" permission and click OK.

10) Click OK to close the Access Control Settings window. The new GoodAdmin Service Account permission will now be visible.

11) Click OK to close the user properties window. The GoodAdmin Service Account should show Special Permissions set to allow.

Microsoft has a script that will create a report of users who do not have the "Send As" right effectively applied to their mailbox.
17772: How to run Microsoft's reporting script to see which users do not have the "Send As" right applied for the GoodAdmin Service Account

Good's Test Send utility will create a MAPI login for the "user profile" specified, and attempt to send email to a specified address
17771: How to run Good's Test Send utility to verify that a specified user has the "Send As" right applied for the GoodAdmin Service Account

Note: Modifying the AdminSDHolder via Active Directory or ADSI Edit does not work, and if it does it will most likely break in a future Microsoft update.