Hello everyone,
we are currently trying to find a way to configure Send-As-permissions with Identity Manager. The problem is that there seems to be no integrated functionality to give an AD security group the send-as-permission, which would make it more governable for the customer and keep it to their current congfiguration standard.
Using main-enabled security groups or distribution groups also does not apply to their configuration standard and is therefore not to be considered.
Currently I have a process which creates the account, shared mailbox and security group. the It then waits for the existence of the objects in the target system and lastly executes a powershell function to edit the Access Control Lists of the objects. I've added the script at the bottom of the post. Sadly this is not working in the "Create new ACE for Send As Permission" section and seems to have issues with the constructors of the powershell method "ActiveDirectoryAccessRule". Has anyone ever solved this problem before or used a similar method for this specific use case?
Thank you in advance for your help.
The current script:
Dim theScript As New StringBuilder()
Dim mailboxdn As String = String.Format("CN={0},OU=[Customer OU],DC=[customer domain]", values("SharedMailboxID")) Dim groupname As String = "Mail_Teammailbox_-" & $CCC_FullName$
theScript.AppendLine(String.Format(<![CDATA[ # Definition of Variables $$Identity = "{0}" $$Trustee = "{1}" # Get ACL of Mailbox $$ADObject = Get-ADObject -Identity $$Identity $$ACL = Get-ACL "AD:$$($$ADObject.DistinguishedName)"
# Create new ACE for Send As Permission $$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` (New-Object System.Security.Principal.NTAccount($$Trustee), "ExtendedRight", "Allow", [Guid]"ab721a54-1e2f-11d0-9819-00aa0040529b" # GUID for Send As Permission )
# Add ACE and write ACL $$ACL.AddAccessRule($$ACE) Set-ACL -ACLObject $ACL -Path "AD:$$($$ADObject.DistinguishedName)" ]]>.Value, mailboxdn, groupname))
Value = theScript.ToString()