0 votes

Hello,

we have a forest with two trees that hold one domain each. There is a default tree-root trust (transitive, two-way) between the top domains. Since both trees are in the same forest they share the same global catalog and schema. The relevant exchange mailboxes and most users are held in the forest root domain (lets call it tree-root-1). Less then 5% of the users are held in the other tree-root domain (lets call it tree-root-2).

We configured a button in Adaxes to manage the "Send on behalf of" and "Full Access" properties in Exchange. We used the built-in functionality from Adaxes. The buttons work fine. there is just one problem: If we try to give a user from tree-root-2 "Send on Behalf of" permissions to a mailbox in tree-root-1 we fail, because the 'Look-In" box in the web interface will not allow us to choose anything but tree-root-1 (the forest root domain). When using the "Full-Access" button the "Look-In" box allows us to chose between "Everywhere" and tree-root-1.

Please also see the two attached pictures.

Where can we configure the "Send on Behalf of" function to also use "Everywhere" in the Look-In box?

Thank you for your suggestions!
HarryNew

by (270 points)
0

Hello Harry,

The Send on behalf privilege can be granted only to the users located in a domain that has parent-child Trust Type with the domain of the user being updated. Unfortunately, there is no other possibility. This is an Exchange restriction, not Adaxes.

0

Hello Support,

thank you for your answer. I talked to our Exchange Admins and they do not agree to your answer. Using the Exchange GUIs they can give a user in Tree-root-2 "Send-On-Behalf" permissions to a mailbox in Tree-Root-1. So this is not an Exchange limitation.

In fact, as an AD administrator, I would not see why a tree-root-trust would be different from a parent-child-trust in this question. Both types of trusts connect domains within the same forest. The trust are transitive and two-way. The only difference is, that a separate tree-root allows the usage of a different naming scheme.

Do you have any other ideas why we cannot search for users in the other domain?

Regards
HarryNew

0

Hello Harry,

Sorry for the confusion. Could you, please, confirm that the values of the Forest name field in the properties of the domains registered in your Adaxes service are same? To check the values:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, expand your Adaxes service node.
  3. Expand Active Directory section.
  4. Right-click the domain which should be checked.
  5. In the context menu, click Properties.
  6. On the General tab, check the value of the Forest name field.
0

Hello Support,

I just checked our system. We have two domains listed under "Active Directory" and they both show the same forest name in "Properties of..."

Maybe I should add that we are using Adaxes 2017.2 (Version 3.8.14823.0).

Regards
HarryNew

0

Hello Harry,

Thank you for the clarification. We will try to reproduce the issue in our testing environment and will get back to you as soon as a solution is ready.

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello Harry,

Thank you for your patience. It looks like the tree-root-2 domain is not displayed because the logged on user does not have the permissions to see it. By permissions here we mean those granted by Adaxes Security Roles, not native Active Directory permissions. For details, see https://www.adaxes.com/tutorials_Delega ... mUsers.htm.
To remedy the issue, you should grant the Allow Read All object types permission to the user over This Domain object and check if there are no Deny permissions. For information on how to view Security Roles assigned to user, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Man ... forms.html.

IMPORTANT: Deny permissions always override the Allow ones.

0

Hello Support,

thank you for your answer! I will read up on the links provided and check the settings.

Regards
HarryNew

0

Hello Support,

Since this seems to be a very broad permission I want to be on the safe side when setting it. Would it be possible to post one or two screenshots that demonstrate where to find the permission and what the resulting permission would look like?

Thank you again!
Regards
HarryNew

0

Hello Harry,

As long as you need to grant the permissions to not only see the domain itself, but also specific objects located in it (users that will be set in the Send on Behalf permission), the Security Role you need will look like the following:


In the dialog for adding the permissions, you need to select the type objects and then select the Read permission in the Allow column in the general permissions section.

Related questions

0 votes
1 answer

how can i create a report which gives me the details from an exchange mailbox as described in the subject? I would like to have a Report for Exchange Mailboxes with OU, Send on Behalf, Full Rights and Send As Rights thank you

asked Feb 22, 2021 by m_st (200 points)
0 votes
1 answer

Using this built in function: There is no option to change the domain on the user account, however this is not the domain we use for UPN. However after creating a user, you can change it but trying to avoid going back into the object.

asked Apr 14, 2023 by mightycabal (1.0k points)
0 votes
1 answer

In order to add a managed domain does it have to be trusted by the primary domain adaxes is installed an running in? I have set up a domain for testing adaxes and it ... I have set my host file to point the untrusted domain to it's primary Domain Controller.

asked Oct 5, 2022 by mightycabal (1.0k points)
0 votes
1 answer

I am trying to figure out if there's anything such as "on behalf of" inside of Adaxes but results yields me nothing. If I proceed with something like requesting a user to ... initiatior instead of the user I wish to add. How would I go about changing this?

asked Aug 21 by Daniel (160 points)
0 votes
1 answer

This note is found in the documentation on how to configure allowed domains in Adaxes 2023. Allowed domain names can only be selected from the alternative UPN suffixes for on- ... required to pick up the change, or is there another way to trigger the update?

asked Jan 31, 2023 by dtb147 (290 points)
3,574 questions
3,263 answers
8,282 comments
548,008 users