Evotec

blog

Exchange 2013 – Grant SendOnBehalf permission for Mailbox overwrites Existing permissions

en

Managing Send on Behalf in the Exchange UI is straightforward. The trap appears when you switch to PowerShell and assume that setting GrantSendOnBehalfTo behaves like a safe incremental update.

The easy mistake

Usually people reach for a direct Set-Mailbox update and assume they are only adding one delegate. In reality, assigning a new value directly to GrantSendOnBehalfTo can replace the entire existing list.

That is fine when you are setting it for the first time. It becomes a problem when several delegates are already present and you only meant to add or remove one person.

Safer approach

Use the Exchange hashtable syntax with @{add=...} and @{remove=...} so you update the property incrementally instead of overwriting it.

function Add-DistributionListGrantSendOnBehalfTo { Param($newTrustee, $targetDistributionGroup)
    Set-DistributionGroup $targetDistributionGroup -GrantSendOnBehalfTo @{add=$newTrustee}
}
function Remove-DistributionListGrantSendOnBehalfTo { Param($oldTrustee, $targetDistributionGroup)
    Set-DistributionGroup $targetDistributionGroup -GrantSendOnBehalfTo @{remove=$oldTrustee}
}
function Replace-DistributionListGrantSendOnBehalfTo { Param($oldTrustee, $newTrustee, $targetDistributionGroup)
    Set-DistributionGroup $targetDistributionGroup -GrantSendOnBehalfTo @{add=$newTrustee}
    Set-DistributionGroup $targetDistributionGroup -GrantSendOnBehalfTo @{remove=$oldTrustee}
}
function Remove-MailboxGrantSendOnBehalfTo { Param($oldTrustee, $targetMailbox)
    Set-Mailbox $targetMailbox -GrantSendOnBehalfTo @{remove=$oldTrustee}
}
function Add-MailboxGrantSendOnBehalfTo { Param($newTrustee, $targetMailbox)
    Set-Mailbox $targetMailbox -GrantSendOnBehalfTo @{add=$newTrustee}
}
function Replace-MailboxGrantSendOnBehalfTo { Param($oldTrustee, $newTrustee, $targetMailbox)
    Set-Mailbox $targetMailbox -GrantSendOnBehalfTo @{remove=$oldTrustee}
    Set-Mailbox $targetMailbox -GrantSendOnBehalfTo @{add=$newTrustee}
}

Example usage

Add-MailboxGrantSendOnBehalfTo -NewTrustee  -TargetMailbox

Replace-MailboxGrantSendOnBehalfTo -NewTrustee  -OldTrustee  -TargetMailbox

Remove-MailboxGrantSendOnBehalfTo -OldTrustee  -TargetMailbox

Practical advice

Before changing anything, check the current delegate list first:

Get-Mailbox <MailboxIdentity> | Select-Object -ExpandProperty GrantSendOnBehalfTo

That makes it much easier to confirm whether you are adding a missing delegate, removing an old one, or cleaning up a mailbox that already has multiple entries.

Current note

Microsoft still documents GrantSendOnBehalfTo with add/remove hashtable syntax for recipient management. So the core lesson from this post still applies: if you are editing an existing delegate list, do not overwrite the whole property unless that is exactly what you intend.

Related Projects

Projects that align with this post's tags, categories, and content.

All projects

Matching projects...