Send on Behalf Of for user in Trusted Domain

General discussion of using Adaxes for Active Directory management and administration
Post Reply
HarryNew
Posts: 17
Joined: Mon Sep 04, 2017 12:37 am

Send on Behalf Of for user in Trusted Domain

Tue May 21, 2019 2:53 am

Hello,

we have a forest with two trees that hold one domain each. There is a default tree-root trust (transitive, two-way) between the top domains. Since both trees are in the same forest they share the same global catalog and schema. The relevant exchange mailboxes and most users are held in the forest root domain (lets call it tree-root-1). Less then 5% of the users are held in the other tree-root domain (lets call it tree-root-2).

We configured a button in Adaxes to manage the "Send on behalf of" and "Full Access" properties in Exchange. We used the built-in functionality from Adaxes. The buttons work fine. there is just one problem: If we try to give a user from tree-root-2 "Send on Behalf of" permissions to a mailbox in tree-root-1 we fail, because the 'Look-In" box in the web interface will not allow us to choose anything but tree-root-1 (the forest root domain). When using the "Full-Access" button the "Look-In" box allows us to chose between "Everywhere" and tree-root-1.

Please also see the two attached pictures.

Where can we configure the "Send on Behalf of" function to also use "Everywhere" in the Look-In box?

Thank you for your suggestions!
HarryNew
Attachments
SendOnBehalfOf.jpg
SendOnBehalfOf.jpg (19.92 KiB) Viewed 719 times
FullAccess.jpg
FullAccess.jpg (20.25 KiB) Viewed 719 times

User avatar
Support
Site Admin
Posts: 2373
Joined: Thu Apr 23, 2009 2:28 am

Re: Send on Behalf Of for user in Trusted Domain

Tue May 21, 2019 9:54 am

Hello Harry,

The Send on behalf privilege can be granted only to the users located in a domain that has parent-child Trust Type with the domain of the user being updated. Unfortunately, there is no other possibility. This is an Exchange restriction, not Adaxes.
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image

HarryNew
Posts: 17
Joined: Mon Sep 04, 2017 12:37 am

Re: Send on Behalf Of for user in Trusted Domain

Thu Jun 06, 2019 8:35 am

Hello Support,

thank you for your answer. I talked to our Exchange Admins and they do not agree to your answer. Using the Exchange GUIs they can give a user in Tree-root-2 "Send-On-Behalf" permissions to a mailbox in Tree-Root-1. So this is not an Exchange limitation.

In fact, as an AD administrator, I would not see why a tree-root-trust would be different from a parent-child-trust in this question. Both types of trusts connect domains within the same forest. The trust are transitive and two-way. The only difference is, that a separate tree-root allows the usage of a different naming scheme.

Do you have any other ideas why we cannot search for users in the other domain?

Regards
HarryNew
Attachments
ExchangeGuiExample.jpg
ExchangeGuiExample.jpg (114.67 KiB) Viewed 604 times

User avatar
Support
Site Admin
Posts: 2373
Joined: Thu Apr 23, 2009 2:28 am

Re: Send on Behalf Of for user in Trusted Domain

Fri Jun 07, 2019 9:38 am

Hello Harry,

Sorry for the confusion. Could you, please, confirm that the values of the Forest name field in the properties of the domains registered in your Adaxes service are same? To check the values:
  1. Launch Adaxes Administration Console.
  2. In the Console Tree, expand your Adaxes service node.
  3. Expand Active Directory section.
  4. Right-click the domain which should be checked.
  5. In the context menu, click Properties.
    Domain.properties.png
    Domain.properties.png (17.52 KiB) Viewed 568 times
  6. On the General tab, check the value of the Forest name field.
    Domain.properties.general.png
    Domain.properties.general.png (10.41 KiB) Viewed 568 times
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image

HarryNew
Posts: 17
Joined: Mon Sep 04, 2017 12:37 am

Re: Send on Behalf Of for user in Trusted Domain

Wed Jun 12, 2019 7:40 am

Hello Support,

I just checked our system. We have two domains listed under "Active Directory" and they both show the same forest name in "Properties of..."

Maybe I should add that we are using Adaxes 2017.2 (Version 3.8.14823.0).

Regards
HarryNew

User avatar
Support
Site Admin
Posts: 2373
Joined: Thu Apr 23, 2009 2:28 am

Re: Send on Behalf Of for user in Trusted Domain

Fri Jun 14, 2019 6:21 am

Hello Harry,

Thank you for the clarification. We will try to reproduce the issue in our testing environment and will get back to you as soon as a solution is ready.
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image

User avatar
Support
Site Admin
Posts: 2373
Joined: Thu Apr 23, 2009 2:28 am

Re: Send on Behalf Of for user in Trusted Domain

Wed Jun 19, 2019 7:40 am

Hello Harry,

Thank you for your patience. It looks like the tree-root-2 domain is not displayed because the logged on user does not have the permissions to see it. By permissions here we mean those granted by Adaxes Security Roles, not native Active Directory permissions. For details, see https://www.adaxes.com/tutorials_Delega ... mUsers.htm.
To remedy the issue, you should grant the Allow Read All object types permission to the user over This Domain object and check if there are no Deny permissions. For information on how to view Security Roles assigned to user, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Man ... forms.html.

IMPORTANT: Deny permissions always override the Allow ones.
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image

HarryNew
Posts: 17
Joined: Mon Sep 04, 2017 12:37 am

Re: Send on Behalf Of for user in Trusted Domain

Fri Jun 21, 2019 7:21 am

Hello Support,

thank you for your answer! I will read up on the links provided and check the settings.

Regards
HarryNew

HarryNew
Posts: 17
Joined: Mon Sep 04, 2017 12:37 am

Re: Send on Behalf Of for user in Trusted Domain

Thu Jun 27, 2019 7:57 am

Hello Support,

Since this seems to be a very broad permission I want to be on the safe side when setting it. Would it be possible to post one or two screenshots that demonstrate where to find the permission and what the resulting permission would look like?

Thank you again!
Regards
HarryNew

User avatar
Support2
Posts: 954
Joined: Mon Nov 14, 2016 4:03 am

Re: Send on Behalf Of for user in Trusted Domain

Thu Jun 27, 2019 8:31 am

Hello Harry,

As long as you need to grant the permissions to not only see the domain itself, but also specific objects located in it (users that will be set in the Send on Behalf permission), the Security Role you need will look like the following:
Security.role.png
Security.role.png (9.31 KiB) Viewed 256 times
In the dialog for adding the permissions, you need to select the type objects and then select the Read permission in the Allow column in the general permissions section.
Permission.png
Permission.png (10.58 KiB) Viewed 256 times
Active Directory Identity Management

Follow Adaxes in social networks
Image Image Image

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 1 guest