In some Exchange 2010 environments it is desirable to allow users to send email on behalf of a distribution group. However unlike for mailboxes, the Exchange Management Console doesn’t provide an option to grant this permission.

Note: this tutorial is for “send on behalf” permissions. If you’re looking for “send as” permissions go here instead.

To enable send on behalf permissions for a distribution group you need to use the Exchange Management Shell.  Launch the shell and use the Set-DistributionGroup command to set the permissions, for example:

Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo alan.reid

Alan Reid can now use the From field in an Outlook message to send on behalf of the Sales Team group.

Exchange 2010: How to Grant Send on Behalf Permissions for a Distribution Group
Sending on Behalf of a Distribution Group

This is what the message will look like for the recipient.

Exchange 2010: How to Grant Send on Behalf Permissions for a Distribution Group
A message sent on behalf of a distribution group

If they reply to the message it will go to the Sales Team distribution group, not the individual sender.

Exchange 2010: How to Grant Send on Behalf Permissions for a Distribution Group
Replies go to the distribution group, not the individual sender

Alternatively you can grant the send on behalf permission to all members of the group, which can save on administrative effort over time if all group members should be allowed to send of behalf of the group they are in.

Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo "Sales Team"

Adding Additional Users or Groups to Send on Behalf Permissions

It is important to realise though that this setting is easy to overwrite if you try to add another user or group when there is already one that has been granted send on behalf permissions.

To demonstrate, here is the distribution group with the Sales Team granted send of behalf permissions.

[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*

Name                : Sales Team
GrantSendOnBehalfTo : {exchangeserverpro.net/Company/Groups/Sales Team}

Now if I use the same command as shown earlier to grant another group send on behalf permissions, it overwrites the existing setting instead of appending it.

[PS] C:\>Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo "Branch Office Team"

[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*

Name                : Sales Team
GrantSendOnBehalfTo : {exchangeserverpro.net/Company/Groups/Branch Office Team}

Instead we need to use a different method to add additional users or groups to the send on behalf permissions.

First, read the existing settings into a variable.

[PS] C:\>$a = Get-DistributionGroup "Sales Team"

Next, read the new group into a second variable.

[PS] C:\>$b = Get-DistributionGroup "Branch Office Team"

If you were adding an individual user you would just use Get-User instead of Get-DistributionGroup.

Then, append the distinguished name of the second group into the GrantSendOnBehalfTo value from the first group.

[PS] C:\>$a.GrantSendOnBehalfTo += $b.DistinguishedName

Finally, set the new value on the first group.

[PS] C:\>Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo $a.GrantSendOnBehalfTo

You can see now that both the Sales Team and Branch Office Team now have send on behalf permissions to the Sales Team distribution group.

[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*

Name                : Sales Team
GrantSendOnBehalfTo : {exchangeserverpro.net/Company/Groups/Sales Team,
exchangeserverpro.net/Company/Groups/Branch Office Team}

Removing Users or Groups from Send on Behalf Permissions

To remove one of the users or groups from having send on behalf permissions we use a similar process as we used to add them.

First, read the current setting into a variable.

[PS] C:\>$a = Get-DistributionGroup "Sales Team"

You can now see the distinguished names of the users or groups that currently have permissions.

[PS] C:\>$a.GrantSendOnBehalfTo | fl distinguishedname

DistinguishedName : CN=Sales Team,OU=Groups,OU=Company,DC=exchangeserverpro,DC=net

DistinguishedName : CN=Branch Office Team,OU=Groups,OU=Company,DC=exchangeserverpro,DC=net

Remove the one that you don’t want any more.

[PS] C:\>$a.GrantSendOnBehalfTo -= "CN=Branch Office Team,OU=Groups,OU=Company,DC=exchangeserverpro,DC=net"

Now apply the new setting to the distribution group.

[PS] C:\>Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo $a.GrantSendOnBehalfTo

You can see that the Branch Office Team has been removed from the send on behalf permissions.

[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*

Name                : Sales Team
GrantSendOnBehalfTo : {exchangeserverpro.net/Company/Groups/Sales Team}

Finally, if you want to remove all send on behalf permissions from a group you can run this command.

[PS] C:\>Set-DistributionGroup "Sales Team" -GrantSendOnBehalfTo $null

[PS] C:\>Get-DistributionGroup "Sales Team" | fl name,grant*

Name                : Sales Team
GrantSendOnBehalfTo : {}

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Muhammad Farrukh

    Hi there
    Can i send email as “send as” in dynamic distribution list office 365.

  2. jacksoncooper

    Thanks for sharing this informative post. Are you the one who wants to know how to fix Kindle paperwhite won’t sync? Then you have opened the right page. For further details check the website Ebook Helpline and we are available 24/7 to offer you the best services.

  3. cherimoe

    Hi Paul,

    I have applied the settings and emails are sent successfully. My issues is that internal emails show “sent on behalf of” but emails to external show the “dl name” NOT “sent on behlf of”?
    How to fix?

  4. cherimoe

    Hi Paul,

    I have applied the settings and emails are sent successfully. My issues is that internal emails show “sent on behalf of” but emails to external show the “dl name” NOT “sent on behlf of”?
    How to fix?

  5. Stylianos Thoma

    Hi Paul,

    Is their any way to give GrantSendOnBehalfTo permissions to a Mail Contact?

    We are using Exchange Server 2010

    Thank you,

  6. Hisham Mezher

    Good Day Paul,

    I want your help with this issue you are discussing here:

    I have a shared mailbox on exchange 2013 CU9 and I want to create send on behalf for like 5 users for it. After I gave them full access to the mailbox and went to outlook 2010 client I added a new email (the shared mailbox) for each user which authenticated using each his/her AD password. The connection is fine and the user can see the messages but he/she couldnt send emails. SO I had to add the send as (using the ecp) and now they can send emails.

    The problem is that their manager needs to know who sent the email and he wants “send on behalf” to work.

    can you help me in this situation.

    Appreciate it.

    Thanks Paul.

    Regards;
    Hisham

  7. Fernando

    Hi Paul. Great article, thanks!
    I have a little question which I’m not able to understand. Is there a way for listing all the universal distribution groups which already have the extended rights?

    I can’t figure it out yet. I’m using Get-ADPermission | Where {$_.ExtendedRights} | Select User,Rights | ft -auto, but it keeps me asking for “identity” parameter and I’d like query to search for them all.

    Thanks!

  8. brian

    i want to say thank you!! this page helped me lots!

    one question is when someone sends, it shows it comes from the group as it should, but doesn’t show on behalf of in the email subject . this is exchange 2007sp3 (sbs2008)

    when i use the command Get-DistributionGroup “Sales” | fl name,grant*

    it returns
    Name : Sales
    GrantSendOnBehalfTo : {mydomain.local/MyBusiness/Distribution Groups/Sales}

    any ideas?

  9. John D

    Still helping folks years later. Thanks for the article. works great, had to set permissions for multiple users, just put all users in the command line, as each time you run it, it changes to the last users that were input. You can add several users at a time, separated by commas. Thanks again!

  10. Grzegorz

    I had problems with owners unable to edit distribution list they own on 2010 envirnoment migrated from 2003. The issue was that user was member of “legacy” non-universal security / distribution groups
    Posh code to fix this issue – converts all groups the user is member of to universal (requires AD module loaded)
    $user = Get-Mailbox -Identity user
    $getmembership = Get-ADUser user -Properties MemberOf | Select -ExpandProperty memberof
    foreach ($group in $getmembership) { Set-Group -Identity $group -Universal
    }

  11. ARVIND

    I was trying to assign send on behalf permission to a AD security group on behalf of a user mailbox in EMC, but unable to find the group, It is showing only user mailbox, not showing any of the AD group, But when I was trying to add send as permission, it was showing all the AD group as well as user mailbox.

    Any help is appreciated.

    Thanks
    Arvind Kumar Singh

  12. ARVIND

    Can i assign SendOnBehalf Permission to a security group created in AD for a user mailbox in EMC 2007. If i can, then which type of group it must be i.e. universal or global.

  13. Vince

    Paul, thanks for the great tutorial. I found that I could not send and would get an error: “…do not have send on behalf permissions”, even after setting a distro group permission via powershell command.

    Had to go to the disto group and add a check mark next to “Send as” in the distro group security for the users in the group.

    Thought I read somewhere that setting a mailbox with both “Send as” and “Send on behalf of” will not work.
    Had to choose one. Although it works, is it safe to do what I have done by setting both “Send as” in security and having set “Send on behalf permissions”?

    Thanks,

    Vince

  14. Imran

    Following is the header for a message which is received by recipient with from string as
    on behalf of while sending i set In-Reply-To: g.h@abc.com
    SO now my expectation is when user do reply all/reply then in message to field d.b@abc.com should automatically gets populated. But its not happening. Please help on this.

    Header:

    Received: () by
    with mapi id
    14.03.0169.001; Wed, 12 Mar 2014 06:27:03 +0000
    Content-Type: application/ms-tnef; name=”winmail.dat”
    Content-Transfer-Encoding: binary
    From: “a, b”
    To: “x, y”
    Subject: Testing Streaming Notification on 26 Sep 2012
    Thread-Topic: Testing Streaming Notification on 26 Sep 2012
    Thread-Index: Ac89vBTU5R/5FWz+QJii9IxnJVpIsA==
    Sender: “d, e”
    Date: Wed, 12 Mar 2014 06:27:02 +0000
    Message-ID:
    In-Reply-To:
    g.h@abc.com
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach:
    X-MS-Exchange-Organization-SCL: -1
    X-MS-TNEF-Correlator:
    MIME-Version: 1.0
    X-MS-Exchange-Organization-AuthSource:
    X-MS-Exchange-Organization-AuthAs: Internal
    X-MS-Exchange-Organization-AuthMechanism: 04
    X-Originating-IP: []
    X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0

  15. Imran

    As per the string “Alan Reid on behalf of sales team”, my requirement is to get reply back on individual account, here in this case on Alan Reid. Is this possible?
    If yes then how?

      1. MR

        I wanted to say on 2 accounts that that is not strictly true. The pro–viso is that the reply to is the address exists as an object in Exchange and AD and only the primary SMTP address is for that object; objects with multiple aliases and proxies don’t work such as in the way Lotus Domino allows this. Alias addresses are proxy addresses that can only be received mail for rather than sent mail from.

  16. Jeya kumar

    HI ,

    I have a legal department . PA will use her shared mail box and will send mail on behalf of lawyer.
    My environment is Exchange 2010 Sp3 and Windows 2008 R2. as per settings i gave full permission to PA and enabled the on behalf .
    PA choosing FROM mail from GAL ,Still clients getting email from PA’s email and sent items staying in PA’s sent item … Is there any way to resolve this PAUL ?

    1. Avatar photo

      That doesn’t sound right. If you’ve set it up correctly and they are using Outlook correctly to send on behalf them the recipient should see “Person A on behalf of Person B”. Have you had them send you an email as a test so you can verify exactly what the recipients are seeing?

      The sent items behaviour for send-as/send-on-behalf is customizable:

      http://technet.microsoft.com/en-us/library/jj884078(v=exchg.141).aspx

  17. Marcel

    How come you ALWAYS publish articles for the right topics?

    Thanks, Paul.

  18. Fadi Hamdan

    Hi,
    I have 90 functional Mailbox and 5 users
    i need to give the 5 users send on behalf without overwriting the existing users
    i put the 90 functional Mailbox in csv file and tried to do your example but i get an error
    this is what i have done:

    Import-csv C:new.csv | foreach {$a=Get-Mailbox $_.Mailbox}
    Import-csv C:new.csv | foreach {$b=Get-Mailbox $_.Users}
    $a.GrantSendOnBehalfTo += $b.DistinguishedName
    Import-csv C:new.csv | foreach {Set-Mailbox $_.Mailbox –GrantSendOnBehalfTo a.GrantSendOnBehalfTo}

  19. Brian

    What would be the command to give a user access to manager calendar/mailbox without setting up a separate forward. I don’t want user to have full control?

  20. rorrim180

    Paul,

    Thanks for the great guides. I have a list of users in a text file that I want to give send on behalf of rights to another mailbox. What command do I use to get powershell to reference the text file?

    set-mailbox -identity USERNAME -GrantSendOnBehalfTo ???

    I tried just referencing “c:filename.txt” but powershell can’t find it.

    Your help is much appreciated.

    Thanks!

      1. rorrim180

        Paul,

        Thanks for the quick reply. I did as you suggested but I’m still running into an error when executing the command below. I’m pretty sure that I’m not interpreting what you replied with correctly.

        set-mailbox -identity USERNAME -GrantSendOnBehalfTo get-content c:filename.txt

        A positional parameter cannot be found that accepts argument ‘c:filename.txt’.
        + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
        + FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox

        Just to note, the below works fine for individual users:

        set-mailbox -identity USERNAME -GrantSendOnBehalfTo USERNAME

        Thanks again!

  21. Kashif Akram

    Hi,

    I am experiencing a problem that all users of exchange 2010 are able to send email on behalf of everyother user. I have restarted hub/cas and mailbox server still unable to fix it. any advise.

    regards,

    Kashif

  22. Yuriy K.

    Hello, Paul:

    One of my users is trying to grant the SendOnBehalfOf permission through Outlook, but getting the “You don’t have sufficient permission…” error. Does the user have to have special permission assigned to be able to do this?

    Your assistance will be greatly appreciated.

    YK

  23. Brecht

    Hi Paul

    Thanks for this great resource of knowledge! I see that you are talking about a Distribution Group in your examples. But is this also possible with a ‘Global Security Group’ or a ‘Universal Security Group’?

    Thank you very much for your feedback 🙂

    1. Avatar photo

      A “Distribution Group” in Exchange terminology means a mail-enabled group.

      In Active Directory a “Distribution Group” is not necessarily mail-enabled.

      So for the context of this article, assume “Distribution Group” means mail-enabled group in Exchange. That means it must be a Universal group.

      If you want to grant a *group* the permissions to send on behalf of a mailbox or distribution group, it must be a Universal Security Group to begin with, whether it is mail-enabled or not. The steps for granting a group the permissions to send on behalf of another group are demonstrated in the article.

  24. Hufton

    Hi,

    I have done this for individual mailboxes, Using Set-Mailbox instead, but I cant seem to do it for Multiple Users, Is there a way to do it for More than one user, without using a distribution group?

      1. mstenbrg

        When I try to use the steps above to grant multiple users by substituting Get-DistributionGroup with Get-User

        Get-DistributionGroup IT | fl name,grant*

        $a = Get-User “John Smith
        $b = Get-User “Joe Smith”

        When I run the command:

        $a.GrantSendOnBehalfTo += $b.DistinguishedName

        I receive this error:

        Property ‘GrantSendOnBehalfTo’ cannot be found on this object; make sure it exists and is settable.

        If I do the same with groups it works fine.

  25. Flesz

    good job, thanks

  26. Loc Banh

    Hi Paul,

    I’ve followed the steps and it works, but the sent email does not show “Loc Banh on Behalf of ”
    It just shows the .

    Is there something I did wrong or is there something else that needs to be done?

    Thanks,

    Loc Banh.

  27. Nelson

    Hi,

    This is my situation : I have to add a mail enabled security group under the usersmailbox “send on behalf”
    Please help me.
    I tried running
    set-mailbox usermailbox@domain.com -grant sendonbehalfto securitygroup@domain.com

    It failed stating unable to find the obect – which is true because its not a user mailbox.

    is there any way I could add the security group now to a send on behalf of a user mailbox.

    Please do the needful..

  28. Amanda Debler

    I am learning Exchange, and have found your articles helpful. Thanks!

    Like everything in PowerShell, there’s more than one way to do it… here’s a more-succinct way that uses hash tables and only relies on you knowing the NT Account Names for the mailbox users you want to grant this to:

    Set-DistributionGroup “Sales Team” -GrantSendOnBehalfTo @{add=’domainAjonestom’,’domainBsmithjane’}

    Removing a trustee works the same way:

    Set-DistributionGroup “Sales Team” -GrantSendOnBehalfTo @{remove=’domainAjonestom’}

    Link to my post with more details, along with a handy cmdlet to hand your help desk:

    http://arsdears.wordpress.com/2013/01/23/modifying-grantsendonbehalfto-without-tears/

  29. David

    Paul, what happen if I give a user send on behalf AND send as permission to a distribution group? I mean can he select send as or send on behalf as he wish when using his Outlook 2010? My test show always send as.

    Thanks.

    David

      1. BK

        Hi, can you tell me how to remove the sendas and change to grantsendonbehalfto cleanly? We’re finding some grantsendonbehalfto permissions granted during our migrations and we were giving sendas. I want to change them now to grantsendonbehalfto instead. Also, if you use the group and add a new member to the group, will they inherit these permissions automatically?

  30. Brad

    Hello,
    I am getting an error when trying to add a Group to the Distribution list.
    I get the same error using the CN= etc. and just “Assessment”

    Assessment is a Universal Group, it is also the distribution group. ([PS] C:Windowssystem32>Enable-DistributionGroup -Identity “Domain.local/Domain Groups/Assessment”)

    –Command–
    [PS] C:Windowssystem32>Set-DistributionGroup “Assessment” -GrantSendOnBehalfTo
    “Domain.LOCAL/Domain Groups/Assessment”

    –Error–
    Object “Domain.LOCAL/Domain Groups/Assessment” could not be found. Please make sure that it was spelled correctly or specify a different object. Reason: Domain.LOCAL/Domain Groups/Assessment is not a mailbox user or mail-enabled user.
    At line:1 char:1
    + <<<< Set-DistributionGroup "Assessment" -GrantSendOnBehalfTo 'Domain.LOC
    AL/Domain Groups/Assessment'
    + CategoryInfo : NotSpecified: (:) [], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : A411CAA1

      1. Brad

        Not very long…come on now…wait, are you kidding! INSTANT GRATIFICATION…gezz, what kind of IT guy are you!!??!

        Thanks Paul, I will try it again.

      2. Brad

        Same Error.

        Also note that Assessment is a Security Group.

  31. Craig

    Thanks very much Paul, great article. The information on removing the permissions was especially useful.

  32. Vijay Ramshetty

    Hi Paul,

    Thanks a lot for detailed article on this. It helped me a lot.

  33. Gary

    Can we remove the “Sent on behalf of” user name in the Outlook From address when doing this with a distribution group as we can with granting the right to a mailbox?

  34. Puzzled

    Thanks a lot for the detailed info.

    Is it me or wasn’t powershell suppose to be a “easy” method of administrating Exchange. Seems like a awful lot of convoluted work to achieve something rather simple like and removing and adding users/groups from what should be a simple list.

    1. Avatar photo

      “Easy” is a bit subjective, but sure, I think its easy. Definitely a lot easier than editing ACLs via ADUC or ADSIEdit.

      This article goes into some detail for the sake of demonstration and clarity. In the real world most people would just grant the permissions once, to a group, and then use that group’s membership to control who can and can’t send on behalf.

      That way you only do the PowerShell part once.

  35. Tunde

    Thanks for the reply, Paul.
    I eventually got around it by changing my code to below:
    $Owner = Read-Host “Type in valid email address or alias of the owner’s mailbox”
    $User = Read-Host “Type in valid email address or alias of the user whose SEND-ON-BEHALF rights you want to remove”

    $OwnerMailbox = Get-Mailbox $Owner
    $UserMailbox = Get-Mailbox $User
    $OwnerMailbox.GrantSendOnBehalfTo.Remove($UserMailbox.Identity)
    Set-Mailbox $Owner -GrantSendOnBehalfTo $OwnerMailbox.GrantSendOnBehalfTo

  36. Tunde

    Hi Paul,
    I’m a big fan of your blog. Great job.
    How did you get
    $a.GrantSendOnBehalfTo -= “CN=Branch Office Team,OU=Groups,OU=Company,DC=exchangeserverpro,DC=net” to work?
    I followed the same procedure to remove a user from GrantSendOnBehalfTo property but I kept getting this error:
    Method invocation failed because [System.Collections.ArrayList] doesn’t contain a method named ‘op_Subtraction

    This is my script
    $Owner = Read-Host “Type in valid email address or alias of the owner’s mailbox”
    $User = Read-Host “Type in valid email address or alias of the user whose SEND-ON-BEHALF rights you want to remove”
    $OwnerMailbox = Get-Mailbox $Owner
    $UserMailbox = Get-Mailbox $User
    $OwnerMailbox.GrantSendOnBehalfTo -= $UserMailbox.DistinguishedName
    Set-Mailbox $Owner -GrantSendOnBehalfTo $OwnerMailbox.GrantSendOnBehalfTo

    Any help is appreciated

    Thanks

  37. Ashish Shivhare

    hi,
    i am facing one issue related to onbehalf .User have all the permition to sent mail onbehalf of mails and mails are sending properly but there is one big issue . if mail sending onbelhalf on single id so it is delivered but same mails are sending lot of id apporx 500 email ids than it is not delivered .

    if you have any solution so pls let me know ..

    my contact number 8878096096
    email id – ashish.shivhare5@vodafone.com

  38. mark

    Hi, i have tried the above and there where no errors during the commands, but i still get the error that the users are not able to send on behalf. my distribution group is a universal security group, and the users have all been added to it as member. in the management console i have set each users send as permissions for the group and did the above shell commands. do i need to restart exchange or something after the commands?

      1. Sergiy

        Hello just curious – what will not work “Send As..” or “Send on behalf of…” or both?

  39. A Lee

    Thanks for that, I’ve been struggling with that for a few days and didn’t realize that the first line (Set-DistributionGroup “group” -GrantSendOnBehalfTo “user”) overwrote the whole thing!!

  40. Paul Taylor

    Are mailbox size limits enforced for ‘send on behalf’?

      1. Susan Verwer

        When i put the following line -BypassSecurityGroupManagerCheck after Set-DistributionGroup “Sales Team” -GrantSendOnBehalfTo “Sales Team” i did not get the error message!

        So i thought that the problem is solved, but now in Outlook the employes get the following warning:

        you’re not authorized to send on behalf of.

        I don’t get it!

        What else can it be?

      2. Susan Verwer

        I’ve missed a command at the end of the line

        -BypassSecurityGroupManagerCheck

        Now they are able to send on behalf of…

        Problem solved!

  41. Susan Verwer

    We’ve just migrated from 2003 to 2010, so maybe that’s the problem, that i don’t have enough rights!
    Problem is that i don’t know where to look 🙁

    Do i have to assign myself these permissons through the Exchange Management Console (EMC), Toolbox?

  42. Susan Verwer

    Local Admin/Domain Admin.

  43. Susan Verwer

    Hi Paul,

    I get the following error when i try to set the sendonbehalfto right to a Distribution Group.

    You don’t have sufficient permissions. This operation can only be performed by a manager of the group.
    + CategoryInfo : NotSpecified: (:) [Set-DistributionGroup], OperationRequiresGroupManagerException
    + FullyQualifiedErrorId : 9876B053,Microsoft.Exchange.Management.RecipientTasks.SetDistributionGroup

    Hope you can help me!

    Thanks.

    Kind regards,
    Susan Verwer

  44. muralidharan

    Also could you tell us, how to remove this send on behalf of permission..

Leave a Reply