Build Your Skills: Grant Send As and Send On Behalf privileges in Exchange 2000

Examine the differences between Send As and Send On Behalf permissions and learn how to grant them with Outlook and Exchange 2000 Server.

Most users have exclusive access to their Exchange Server mailboxes and are the only ones who can send mail through their accounts. In some situations, however, it's useful or necessary for one or more users to be able to send messages through another user's mailbox. Exchange 2000 and Outlook make it easy for you to set this up. I'll examine the differences between Send As and Send On Behalf permissions and show you how to grant them with Outlook and Exchange 2000 Server.

The difference between Send As and Send On Behalf
You can configure two permissions on an Exchange Server mailbox or folder that grant other users the ability to send mail through that mailbox. Each permission has a different purpose and effect on the outgoing message. When a user who has Send As permission in a mailbox sends a message through that mailbox, the From field shows the mailbox owner as the sender. For example, let's say that I send a message through the Support mailbox, which is a global mailbox for the Support department. The From field of the resulting message comes from the Display Name field of the account that owns the mailbox, which in this example I'll assume is Support. My name doesn't appear in the From field at all, and replies are directed to the Support e-mail address. The same is true if I grant a user Send As permission in a public folder. The user can send messages as that public folder, and the From field reflects the Display Name field and e-mail address of the public folder, not the sender.

Send On Behalf, also called delegate permission, works a bit differently. If I grant Send On Behalf permission in a mailbox or public folder to a given user, that delegated user can send messages on behalf of that mailbox or folder. The From field reads <user> on behalf of <owner>, where <user> is the user who sent the message, and <owner> is the mailbox owner (or public folder).

In Outlook, the From field in the Inbox message header shows the owner's name, but the InfoBar in the Preview pane and the From field in the message form itself shows <user> on behalf of <owner>. If the recipient is using Outlook Express, however, that person doesn't see that the message was sent on behalf of the mailbox or folder owner. Instead, the message header in the Inbox and the Preview pane, as well as the message form itself, shows the mailbox owner or folder as the sender, with no indication that the message was sent on behalf of someone else.

So, what's really going on? If you look at the message properties of a delegate-sent message from Outlook Express and click the Details tab, you'll see that the From field in the Internet headers is set to the mailbox owner or public folder. The Sender field is set to the delegate's name and address. In effect, Send On Behalf sets the Sender field for the message, and Send As does not. Therefore, what the recipient actually sees for the From field depends on how the intervening mail server and mail client treat the From and Sender fields.

If you want a message to appear to Outlook users as if it were sent on behalf of someone else, grant the user Send On Behalf permission for the mailbox or public folder. If you want the message to appear to be from the mailbox owner or public folder, grant the user Send As permission. Keep in mind that if you grant both Send On Behalf and Send As permissions for a user in a given mailbox or public folder, the Send On Behalf permission is the one that affects what Outlook users see regarding the message sender—messages will appear to be sent on behalf of the mailbox owner or public folder, even though the user also has Send As permission.

What good are Send As and Send On Behalf?
If you don't use public folders in your organization and everyone has exclusive access to their mailboxes, Send As and Send On Behalf permissions are essentially useless to you, at least the way you're currently using Exchange Server. However, these permissions have some important uses.

For example, a manager might need to delegate access to his mailbox to an assistant so the assistant can schedule meetings, monitor and respond to e-mail, or manage the owner's mailbox in other ways. Or, let's assume your sales department wants to start sending out broadcast messages to customers and/or receive sales inquiries. You can set up a common mailbox called Sales and grant Send On Behalf or Send As permission to everyone in the sales department so they can send and receive messages through that mailbox. You could use a public folder instead of a mailbox, if you preferred. Using a public folder is a better option in situations where you want to simplify access to the messages. All users with the necessary permissions in the public folder can see them from Outlook without opening a separate mailbox.

Regardless of the reason for using these permissions, whether you grant Send As or Send On Behalf permission to a particular user or group depends on how you want the message received. If you want the recipient to see that the message has been sent by a delegate, use Send On Behalf. If you don't want the recipient to know that the message was sent by a delegate, use the Send As permission.

Grant and use Send As permission in Exchange 2000 Server
You use the Active Directory Users And Computers console to grant Send As permission for users in your Exchange 2000 Server organization. First, open the console and choose View | Advanced Features to turn on the display of advanced features in the console. Then, decide whether you will grant Send As permission using an account or a group. If using a group, create and populate the group.

Next, open the account of the user who owns the mailbox. In the user's account properties, click the Security tab. If the user or group is not already included in the Name list, click Add and add the user account or group. Back in the Security tab, select the user or group to which you want to grant Send As permission, then scroll through the Permissions list to locate Send As. Place a check in the Allow column for the Send As permission and click OK.

If you are granting Send As permission for a public folder, you have one additional step to take. You need to configure the folder's properties to display it in the Global Address List (GAL) so users can select it from their Address Book when addressing the message. Open the Exchange System Manager and expand the Public Folders branch to locate the public folder. Right-click the folder and choose Properties, then click the Exchange Advanced tab. Clear the Hide From Exchange Address Lists option and click OK.

Users will need to refresh their offline address books by performing a full Send/Receive on the Exchange Server account. In Outlook 2002, choosing Tools | Send/Receive | Download Address Book accomplishes the refresh. If you prefer not to list the public folder in the GAL, users can add the public folder address to their Contacts or Personal Address Book.

After the changes have propagated in the domain, the users to whom you granted Send As permission can start sending messages through the target mailbox or public folder. Open Outlook and open a new mail message. Choose View | From Field to display the From field in the message form. Click From and select the user or public folder, then select the recipient, add a subject and message body, and send the message on its way.

Grant Send On Behalf permission in Exchange 2000 Server
How you grant Send On Behalf permission depends on whether you're delegating a mailbox or a public folder. You can grant Send On Behalf permission for a mailbox with the Active Directory Users And Computers console, but you can grant this permission only to a mailbox with Outlook. You use the Exchange System Manager to grant Send On Behalf permission for a public folder.

To grant Send On Behalf permission using the Active Directory Users And Computers console, open the mailbox owner's account and click the Exchange General tab. Click Delivery Options, click Add, select the user, and click OK. Add other delegates as needed and close the account properties. If you need to configure additional delegate permissions for individual mailbox folders, you must use Outlook instead of the Active Directory Users And Computers console. Open Outlook with a profile that contains the Exchange Server mailbox on which you need to grant delegate access. Choose Tools | Options and click the Delegates tab. Click Add, select the user to whom you want to grant delegate access, click Add, and then click OK.

At this point, Outlook opens the Delegate Permissions dialog box for the selected user. You can configure permissions for each of the default Outlook folders. In this example, you would likely set the permissions for the Inbox to Author, which allows the user to read and create new items. Repeat the process to add other users as needed.

To grant Send On Behalf permission in a public folder, open the Exchange System Manager console and open the properties for the public folder. Click the Exchange General tab and then click Delivery Options to open the Delivery Options dialog box. Click Add, select the users, click OK, and then click OK again. Close the properties for the folder. The process for using Send On Behalf is essentially the same as that for the Send As permission. In Outlook, open a new message form and, with the From field displayed, click From and select the user or public folder on whose behalf you want to send the message. Finish composing and addressing the message and send it.

If a user has the necessary delegate permissions in a mailbox, the user can also open the mailbox and work with the folders and items in it based on his or her delegate permissions. To open another folder, open Outlook with your own profile and choose File | Open | Other User's Folder. Select the user and the folder, and click OK to open it in a new window. If you want to open an additional mailbox in its entirety, add the mailbox to your profile.

Open the properties for your Outlook profile and for the Exchange Server account, and click More Settings. Click the Advanced tab, click Add, and add the additional mailbox. Close the profile properties and restart Outlook. You should see the other mailbox under its own branch in the folder list. However, you'll have access only to those folders for which you have the necessary delegate permissions.

Granting Send On Behalf permission to a distribution list
You can grant delegate permissions to users individually, but if you're delegating permissions for an entire team or department, it's more efficient to grant permissions using a distribution list. You can then control delegate access by adding or removing users from the distribution list.

First, create the distribution list in the GAL. Create the distribution list from the Active Directory Users And Computers console, making sure to add an e-mail address for the distribution list so it will be included in the GAL. Then, add users to the distribution list as needed. These are the users you want to have Send On Behalf permissions in the mailbox.

Next, open Outlook and log on to the mailbox for which you need to grant delegate access. Choose Tools | Options and click the Delegates tab. Click Add, select the distribution list, click Add, and then click OK. The Delegate Permissions dialog box opens automatically. Configure permissions for the Inbox if you need to enable users in the list to view, create, or modify messages in the mailbox's Inbox. None of these permissions is needed to allow the list users to send outgoing messages.

A few potential problems
One problem you might experience after granting Send As and Send On Behalf permissions is that a particular user always ends up sending on behalf of the mailbox or public folder, even though he or she has Send As permission. The Send On Behalf permission in effect takes precedence because it sets the Sender field, which Outlook interprets as meaning the message was sent on behalf of the mailbox owner. If you don't want this behavior for the user, remove the user from the Delegates tab (which removes Send On Behalf permission). If you want a user to appear as the sender of a message without any mention of delegation, remove the user as a delegate.

Another potential problem can arise if you have multiple domains in your organization. A user (or you) might grant delegate access with Outlook to an Inbox, only to find that the delegated user doesn't show up in the Delivery Options tab of the mailbox owner's account properties. The crux of the matter is that you're using a Global Catalog (GC) server in a domain other than the one where your account resides. The items for your domain in that GC are read-only, which prevents you from changing properties.

You can overcome the problem by moving the mailbox to the same domain and/or by changing the GC used by Exchange Server. To achieve the latter, open the Exchange System Manager, right-click the server in question, and choose Properties. Clear the Automatically Discover Servers option, and then click Add to add a GC. Or, you can try changing the GC at the client. Change the registry value
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\<ProfileName>\dca740c8c042101ab4b908002b2fe182

to point to the desired GC. You'll find more information about this issue in Microsoft TechNet article 329622.

Finally, users who access a mailbox with Outlook Web Access (OWA) do not gain write access to a mailbox even if you grant delegate permissions on a given folder to those users. You can give users the ability to send through another mailbox with OWA by assigning them as mailbox owners. Open the Active Directory Users And Computers console and display advanced features. Open the account properties for the mailbox owner, click the Exchange Advanced tab, and then click Mailbox Rights. Add the delegate user or group and grant Full Control.

Editor's Picks