Delegates Cannot Activate Send-on-Behalf-of-List 13 comments

The delegates settings were not saved correctly. Cannot activate send-on-behalf-of-list. You do not have sufficient permission to perform this operation on this object.

Role Based Access Control was introduced by Microsoft in Exchange 2010. Within Exchange 2013 Microsoft prolonged this feature for a good reason. It simplifies assigning permissions for users in the email environment. Assign a role or permission to the Exchange policy where users are a member of and these users receive the new permissions they need to do their job, for example:

  • Edit distribution lists
  • Edit delegate permissions

At a customer site who migrated from Exchange 2007 to Exchange 2013, users that owned a shared mailbox could no longer set delegate permissions.

Deletegates Cannot Activate Send-on-Behalf-of-List

Deletegates Cannot Activate Send-on-Behalf-of-List

The issue was solved by delegating the RBAC role “MyMailboxDelegation” to the “Default Role Assignment Policy”, this policy was used by all users. Next I applied the correct AD permission to the shared mailbox to actually grant a specific user the permissions to set the Send-On-Behalf-Of permission on the shared mailbox. Follow the below steps:

1. Check if the new role is delegated to the Organization Management Role group if the assignment is there and the type is “DelegatingOrgWide”. To do this run the following command:

Get-ManagementRoleAssignment -Role MyMailboxDelegation | fl name,RoleAssignmentDelegationType

2. If the “delegation” assignment is available proceed by assigning it to your appropriate “Role Assignment Policy”, by running the following command:

New-ManagementRoleAssignment -Name ‘Mymailboxdelegation-Default Role Assignment policy’ -Role “Mymailboxdelegation” -Policy “Default Role Assignment Policy

3. Now the mailbox manager must be granted Active Directory permissions to write “Personal-Information” on the shared mailbox, so that the “publicDelegate” attribute could be changed:

Add-ADPermission “Delegated Mailbox” -User “UserwithFullMailboxAccess” -AccessRights WriteProperty -Properties Personal-Information

4. The mailbox owner is now able to configure the calendar delegation without any error messages.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

13 thoughts on “Delegates Cannot Activate Send-on-Behalf-of-List

  • Maurice

    Unfortunately this does not seem to work in a forest with a greenfield Exchange 2013 install. The role MyMailboxDelegation is not created by the Exchange setup in this case. Any clues how this could be implemented in a greenfield Exchange 2013 install?

    • Berry Roemgens Post author

      A greenfield installation of Exchange 2013 basically means a first/new/initial installation of Exchange 2013. No previous versions of Exchange are present in the Active Directory domain.

      RBAC, or Role Based Access Control is part of Exchange 2013, when prepping your AD for the introduction of Exchange. So from this point of view it should be possible. Please review this webpage:

      If I have some spare time, I will test a greenfield setup in my lab. In the meantime, if you found the issue, please let me know the solution.

      • Maurice

        Thanks for your answer. I did some more testing and found out that if you have installed Exchange 2013 in an existing Exchange 2010 forest, the “MyMailboxDelegation” role is available. But if you start with an empty forest, the role is not available (which is kind of annoying if you want to implement the fix as described).

        • Berry Roemgens Post author

          Upgrading in an existing prepared forest of previous version could be, why the roles are correctly registered in the situations that I have been in. Have you registered the RBAC roles correctly?

          Alternatively you can create a custom RBAC role, register the role via PowerShell and add the role to the correct policy users are receiving (usually Default Role Assignment Policy).

  • wiggle salomon

    Just wish to say your article is as amazing. The clarity in your post is just excellent and i could assume you are an expert on this subject. Well with your permission allow me to grab your RSS feed to keep updated with forthcoming post. Thanks a million and please carry on the enjoyable work.

  • IrvinFWillow

    Great blog! Will be your theme tailor made or do you download it
    from somewhere? A theme like yours by incorporating simple adjustements would actually make my blog jump out.
    Please let me know where you got your design. Appreciate it

  • GitaUErtel

    My brother suggested I would possibly like this website.
    He was entirely right. This submit truly made my day.
    You can not consider simply how a lot time I had spent for this info!
    Thank you!