This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 36%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
For a particular user/mailbox an account can be added to the Send As Permission however that account periodically disappears from the field and the Send As permission contains no entries.
This permission has been added several times through the Exchange 2016 - Exchange Admin Center (EAC). This permission will stick for what seems randomly minutes, hours and even weeks more recently. However it seems to remove itself periodically. It has stayed applied across server reboots and updates. But periodically the permission is no longer applied. An attempt to add via Exchange Management Shell using the Get-Mailbox "userMailbox" | Add-ADPermission - User "mailboxWithAccess" -ExtendedRights "Send As" as has not stayed applied.
The permission is not being applied through a group but by directly adding a user. The user being added to the Send as permission has a different email domain but both are part of the same Active Directory Domain. There have been send as permissions applied the same way though EAC to different mailboxes and so far none of those mailboxes have had the Send As Permission disappear.
The affected user will receive a message in outlook when sending on behalf "This message could not be sent. You do not have the permission to send the message on behalf of the specified user." and then it is noted the permission is once again missing.
Thank you for your assistance.
Is the account associated with this mailbox in an elevated group or was at one time?
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
If so that is expected:
If so, remove that account from all elevated domain groups and clear the admin count:
Set-AdUser -Identity <user> -Clear adminCount
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 20%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAX%3C/text%3E%3C/svg%3E)
Hi @MTMP ,
If the account in a protected group, it’s normal behavior.
"AdminSDHolder" checking for changes every hour on protected users and groups.
You could get more details about AdminSDHolder from this document.
You need to romove the user from the administrator group.
Here’s also a similar case for you reference.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi, @MTMP ,
It's been a while, is there any update?
If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.
Hi @MTMP ,
Do the suggestions above help?
If the issue has been resolved, please click “Accept as answer” to mark the helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks!