Closed MassimoPascucci closed 2 years ago
MassimoPascucci
commented
2 years ago Note: this makes sense only when the DL is security-enabled.
Unfortunately, a bunch of DLs I'm currently working on are configured this way... the customer probably thought it was an easy way to grand Send As permissions to all DL members.
timmcmic
commented
2 years ago You can send as a distribution list that is not a mail security group. Unfortunately exchange recycles this all the way around. The send as acl applies to all mail enabled objects for the purposes of send as. Limiting to one recipient type would not work.
What is the issue you're having?
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: Massimo Pascucci @.> Sent: Friday, May 6, 2022 9:31 AM To: timmcmic/DLConversionV2 @.> Cc: Subscribed @.***> Subject: Re: [timmcmic/DLConversionV2] Issue when a DL has "Send As" permissions on itself (Issue #49)
Note: this makes sense only when the DL is security-enabled.
Unfortunately, a bunch of DLs I'm currently working on are configured this way... the customer probably thought it was an easy way to grand Send As permissions to all DL members.
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftimmcmic%2FDLConversionV2%2Fissues%2F49%23issuecomment-1119625945&data=05%7C01%7Ctimmcmic%40microsoft.com%7Cf0fe8d5b2cd0420c222808da2f64a49c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637874406549820090%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zwaIfal6dVjqnANJ0%2F6scNLbycnPjO1us0vrXqQj7xs%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKGTN6LSWIFPYMLKSIIOOEDVIUNIZANCNFSM5VHVEDFA&data=05%7C01%7Ctimmcmic%40microsoft.com%7Cf0fe8d5b2cd0420c222808da2f64a49c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637874406549820090%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7ekR%2FIzGgPj4pKNaZqAVlXmo4xUXgaSI%2B2N7p5SpgQs%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>
timmcmic
commented
2 years ago Can you open an issue on git hub. Do you know if the send as ACL actually works in this case? Now your other comment makes sense. My guess is that they were trying to get around have a security enable context to establish the ACL.
If the acl doesn't actually work to enable send as I'm not inclined to convert it to the group but rather flag it as invalid and have it removed as it does today.
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: Massimo Pascucci @.> Sent: Friday, May 6, 2022 6:01 AM To: timmcmic/DLConversionV2 @.> Cc: Subscribed @.***> Subject: [timmcmic/DLConversionV2] Issue when a DL has "Send As" permissions on itself (Issue #49)
When a distribution list has "Send As" permissions granted to itself (using "NT AUTHORITY\SELF"), the conversion process fails to properly analyze this ACE and errors out.
Workaround: remove the permission granted to "NT AUTHORITY\SELF" and assign it explicitly to the group.
Suggested resolution: when a "Send As" ACE refers to "NT AUTHORITY\SELF", map it to the group's own DN.
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftimmcmic%2FDLConversionV2%2Fissues%2F49&data=05%7C01%7Ctimmcmic%40microsoft.com%7Cde5214f0f85449f29ab708da2f475a26%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637874280776617307%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8TNAxD6V7koFeINL4u5vihHXY7czrUouUVkH8E3INZg%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKGTN6JIGCLDZVCWCAXAVFDVITUWRANCNFSM5VHVEDFA&data=05%7C01%7Ctimmcmic%40microsoft.com%7Cde5214f0f85449f29ab708da2f475a26%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637874280776617307%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WX8P5Uf2EW3rKZ7bbSPGBUeMcJaMCP%2F8y1J7ODj5Ml8%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>
MassimoPascucci
commented
2 years ago Can you open an issue on git hub.
I already opened it, we are commenting on that :)
Do you know if the send as ACL actually works in this case?
Yes. They used it on a bunch of groups and have been happily sending as for a while.
Please note that the groups are security ones, IDK what would happen with pure distribution groups.
Replacing "NT AUTHORITY\SELF" with the actual group name also works (again, only if the group is a security one), and your scripts then are able to handle it correctly; the permission gets correctly applied in Exchange Online after conversion.
So my suggestion is to just handle "NT AUTHORITY\SELF" as an edge case in Get-NormalizedDN and map it to the group's own DN, if the group is security enabled; otherwise, flag it as an error or skip/log it.
timmcmic
commented
2 years ago I'll work on some testing this weekend.
Tim
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: Massimo Pascucci @.> Sent: Friday, May 6, 2022 11:31 AM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Issue when a DL has "Send As" permissions on itself (Issue #49)
Can you open an issue on git hub.
I already opened it, we are commenting on that :)
Do you know if the send as ACL actually works in this case?
Yes. They used it on a bunch of groups and have been happily sending as for a while.
Replacing "NT AUTHORITY\SELF" with the actual group name also works (if the group is a security one), and your scripts then are able to handle it correctly; the permission gets correclty applied in Exchange Online after conversion.
So my suggestion is to just handle "NT AUTHORITY\SELF" as an edge case in Get-NormalizedDN and map it to the group's own DN.
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftimmcmic%2FDLConversionV2%2Fissues%2F49%23issuecomment-1119743110&data=05%7C01%7Ctimmcmic%40microsoft.com%7C6aef66b8608d487f337b08da2f755f81%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637874478414255699%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7A3reJYWianaq8HeDbSdgsfk0gbRoPwOqPso03ZQmjM%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKGTN6K3SFSASX5772SUXA3VIU3J5ANCNFSM5VHVEDFA&data=05%7C01%7Ctimmcmic%40microsoft.com%7C6aef66b8608d487f337b08da2f755f81%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637874478414305680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CFUp7e%2Fq7vnH55g7wk94elCD9YEaFHQuDiWoiOmOr9c%3D&reserved=0. You are receiving this because you commented.Message ID: @.**@.>>
timmcmic
commented
2 years ago 2.5.19 was just published to the powershell gallery and should have the functionality you're looking for.
I simplied the suggestion. I get-sendasOnGroup the code enumerates all acls. It then splits the domain\user into just USER.
Since the DN is passed into the function - the enumeration now tests for SELF and if self is present it subs in the DN instead of searching the AD for the DN.
Then it's normalized as part of the array and returned.
Tim
============================== Timothy J. McMichael Senior Support Escalation Engineer @.**@.> (980)-776-7465
Hours: Sunday - Wednesday 08:00 - 16:00 eastern time zone.
Manager: Tom Roughley @.**@.>)
Premier Support - (800)-936-3100 Broad Commercial Support - (800)-936-4900
==============================
From: Massimo Pascucci @.> Sent: Friday, May 6, 2022 11:31 AM To: timmcmic/DLConversionV2 @.> Cc: Tim McMichael @.>; Comment @.> Subject: Re: [timmcmic/DLConversionV2] Issue when a DL has "Send As" permissions on itself (Issue #49)
Can you open an issue on git hub.
I already opened it, we are commenting on that :)
Do you know if the send as ACL actually works in this case?
Yes. They used it on a bunch of groups and have been happily sending as for a while.
Replacing "NT AUTHORITY\SELF" with the actual group name also works (if the group is a security one), and your scripts then are able to handle it correctly; the permission gets correclty applied in Exchange Online after conversion.
So my suggestion is to just handle "NT AUTHORITY\SELF" as an edge case in Get-NormalizedDN and map it to the group's own DN.
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftimmcmic%2FDLConversionV2%2Fissues%2F49%23issuecomment-1119743110&data=05%7C01%7Ctimmcmic%40microsoft.com%7C6aef66b8608d487f337b08da2f755f81%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637874478414255699%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7A3reJYWianaq8HeDbSdgsfk0gbRoPwOqPso03ZQmjM%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKGTN6K3SFSASX5772SUXA3VIU3J5ANCNFSM5VHVEDFA&data=05%7C01%7Ctimmcmic%40microsoft.com%7C6aef66b8608d487f337b08da2f755f81%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637874478414305680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CFUp7e%2Fq7vnH55g7wk94elCD9YEaFHQuDiWoiOmOr9c%3D&reserved=0. You are receiving this because you commented.Message ID: @.**@.>>
MassimoPascucci
commented
2 years ago 2.5.19 was just published to the powershell gallery and should have the functionality you're looking for. I simplied the suggestion. I get-sendasOnGroup the code enumerates all acls. It then splits the domain\user into just USER. Since the DN is passed into the function - the enumeration now tests for SELF and if self is present it subs in the DN instead of searching the AD for the DN. Then it's normalized as part of the array and returned.
Looks great, I'll test it and let you know how it goes.
MassimoPascucci
commented
2 years ago This works great.
The permission is handled correctly for security groups, and if the group is a pure distribution one the issue is already covered by not retaining its send as rights at all:
[07/05/2022 16:43:58] - Retain Office 365 send as set to try - invoke only if group is type security on premsies.
[07/05/2022 16:43:58] - Group is not security on premsies therefore has no send as rights in Office 365.
When a distribution list has "Send As" permissions granted to itself (using "NT AUTHORITY\SELF"), the conversion process fails to properly analyze this ACE and errors out.
Attached (anonymized) error log: Log.txt
Workaround: remove the permission granted to "NT AUTHORITY\SELF" and assign it explicitly to the group.
Suggested resolution: when a "Send As" ACE refers to "NT AUTHORITY\SELF", map it to the group's own DN.