I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
What could be the problem, considering the items below :
- inheritance is not broken to the level of the distribution group object
- the account used to run the cmdlet is a member of the Organization Management group
- creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties) shows no differences.
- adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
- there is no Deny permission on the group's ACL
- the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issues
