0 votes

Hello,

we have a forest with two trees that hold one domain each. There is a default tree-root trust (transitive, two-way) between the top domains. Since both trees are in the same forest they share the same global catalog and schema. The relevant exchange mailboxes and most users are held in the forest root domain (lets call it tree-root-1). Less then 5% of the users are held in the other tree-root domain (lets call it tree-root-2).

We configured a button in Adaxes to manage the "Send on behalf of" and "Full Access" properties in Exchange. We used the built-in functionality from Adaxes. The buttons work fine. there is just one problem: If we try to give a user from tree-root-2 "Send on Behalf of" permissions to a mailbox in tree-root-1 we fail, because the 'Look-In" box in the web interface will not allow us to choose anything but tree-root-1 (the forest root domain). When using the "Full-Access" button the "Look-In" box allows us to chose between "Everywhere" and tree-root-1.

Please also see the two attached pictures.

Where can we configure the "Send on Behalf of" function to also use "Everywhere" in the Look-In box?

Thank you for your suggestions!
HarryNew

by (1.2k points)
0

Hello Harry,

The Send on behalf privilege can be granted only to the users located in a domain that has parent-child Trust Type with the domain of the user being updated. Unfortunately, there is no other possibility. This is an Exchange restriction, not Adaxes.

0

Hello Support,

thank you for your answer. I talked to our Exchange Admins and they do not agree to your answer. Using the Exchange GUIs they can give a user in Tree-root-2 "Send-On-Behalf" permissions to a mailbox in Tree-Root-1. So this is not an Exchange limitation.

In fact, as an AD administrator, I would not see why a tree-root-trust would be different from a parent-child-trust in this question. Both types of trusts connect domains within the same forest. The trust are transitive and two-way. The only difference is, that a separate tree-root allows the usage of a different naming scheme.

Do you have any other ideas why we cannot search for users in the other domain?

Regards
HarryNew

0

Hello Harry,

Sorry for the confusion. Could you, please, confirm that the values of the Forest name field in the properties of the domains registered in your Adaxes service are same? To check the values:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, expand your Adaxes service node.
  3. Expand Active Directory section.
  4. Right-click the domain which should be checked.
  5. In the context menu, click Properties.
  6. On the General tab, check the value of the Forest name field.
0

Hello Support,

I just checked our system. We have two domains listed under "Active Directory" and they both show the same forest name in "Properties of..."

Maybe I should add that we are using Adaxes 2017.2 (Version 3.8.14823.0).

Regards
HarryNew

0

Hello Harry,

Thank you for the clarification. We will try to reproduce the issue in our testing environment and will get back to you as soon as a solution is ready.

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello Harry,

Thank you for your patience. It looks like the tree-root-2 domain is not displayed because the logged on user does not have the permissions to see it. By permissions here we mean those granted by Adaxes Security Roles, not native Active Directory permissions. For details, see https://www.adaxes.com/tutorials_Delega ... mUsers.htm.
To remedy the issue, you should grant the Allow Read All object types permission to the user over This Domain object and check if there are no Deny permissions. For information on how to view Security Roles assigned to user, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Man ... forms.html.

IMPORTANT: Deny permissions always override the Allow ones.

0

Hello Support,

thank you for your answer! I will read up on the links provided and check the settings.

Regards
HarryNew

0

Hello Support,

Since this seems to be a very broad permission I want to be on the safe side when setting it. Would it be possible to post one or two screenshots that demonstrate where to find the permission and what the resulting permission would look like?

Thank you again!
Regards
HarryNew

0

Hello Harry,

As long as you need to grant the permissions to not only see the domain itself, but also specific objects located in it (users that will be set in the Send on Behalf permission), the Security Role you need will look like the following:


In the dialog for adding the permissions, you need to select the type objects and then select the Read permission in the Allow column in the general permissions section.

Related questions

0 votes
0 answers

I'm trying to setup a quick automations to drop a notification into a Micrsoft Teams feed using their Webhook integration. I've managed to make Webhooks work ... -body $body -ContentType 'application/json' Any assistance with this would be gratefully received

asked Jan 20 by richarddewis (1.3k points)
0 votes
1 answer

We are evaluating the product and would like to let users of AD to change password in self service page. We would like to set a 90 days change password policy, ... self service page? Is it achievable (with customization and batch program)? Thanks in advance.

asked Apr 27 by eric (250 points)
0 votes
1 answer

I am using a Send An Email on create mailbox function. Sometimes it works and sometimes not. The issue seems to be that Adaxes fires the rule too quickly before the Exchange mailbox has been fully created. How do I put a pause into a rule? Like 30 seconds?

asked Sep 14, 2012 by It_helpdesk (2.9k points)
0 votes
1 answer

Is it possible to change the default domain on the User Logon Name field, in the Create User Web Interface screen? Similarly, is it possible to change the User Logon Name (pre-Windows 2000) prefix?

asked Apr 15, 2014 by sdavidson (5.1k points)
0 votes
1 answer

Hello, is there a way to automatically create a user after creating a user in a different domain? Let me explain: We have a Management Domain we own and a new ... be created automatically We got a adaxes service account in both domains. Thanks in advance!

asked May 14, 2019 by Redfruit (510 points)
2,188 questions
1,952 answers
5,397 comments
5,394 users