Target user receives an error "You do not have permission to send to this recipient" when using t (4352497)

Target users can log on to source mailbox without being prompted for credentials, but they cannot send e-mail messages. They receive an error message with "You do not have permission to send to this recipient" for both internal and external recipients in source Exchange organization. Exchange Processing Wizard has been used to process the mailboxes but there is still no change in functionality. Manually adding the target account to the source mailbox "Full Mailbox Access" does not help either.

This can happen when the source object is a member of a protected group. "Send As" permission on the source object for the matching target object is required to make it work but if the source object is a member of a protected group the AdminSDHolder is removing the "Send As" permission. This is a known MS issue and KB article 907334 contains more information:
http://support.microsoft.com/kb/907434/

"You explicitly configure the Send As right on a user object in the Active Directory Users and Computers snap-in in Microsoft Exchange Server. However, the Send As right is removed from the user object about one hour after you configure the Send As right. Additionally, other changes that you made to the security descriptor on the user object may be removed. For example, the Allow inheritable permissions from parent to propagate to this object check box may no longer be selected."

"The Active Directory service has a process that makes sure that members of protected groups do not have their security descriptors manipulated. If a security descriptor for a user account that is a member of a protected group does not match the security descriptor on the AdminSDHolder object, the user's security descriptor is overwritten with a new security descriptor that is taken from the AdminSDHolder object. The Send As right is delegated by modifying the security descriptor of a user object. Therefore, if the user is a member of a protected group, the change is overwritten in about one hour."

1. Remove user from any of AD protected groups. Note that protected groups are as follows:

Windows 2000:
Enterprise Admins
Schema Admins
Domain Admins
Administrators

Windows Server 2003 and in Windows 2000 after applying the 327825 hotfix or installing Windows 2000 Service Pack 4, add more groups to Protected Groups List:
Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers

Additionally the following users are also considered protected:
Administrator
Krbtgt

2. In Active Directory Users and Computers Security Tab: add "Send As" permission for SELF Account. It will be also a good idea to compare permissions set for SELF account to that of another user that is working OK.

3. Wait about 15 min up to one hour for AD replication and Exchange information store processes to finalize these changes in the environment.

NOTE: A good indication if user being a member of protected group is checking the value of "Admincount" attribute with ADSIEdit. If it has value of "1" this indicates that object was or still member of AD protected group. Changing it to 0 or <Not Set> will not resolve the issue if user still belongs to any of protected groups listed above.

Orphaned AdminSDHolder Objects

For more information please see related MS articles 817433, 306398, 232119, 318180:

http://support.microsoft.com/kb/817433/en-us

http://support.microsoft.com/kb/306398/en-us

http://support.microsoft.com/kb/232199/en-us

http://support.microsoft.com/kb/318180/en-us