Distribution Group SendAs Denied

Distribution Group SendAs Denied

When trying to assign Send As or Receive As permissions to a Distribution Group in Exchange 2010, 2013 or 2016 using the Add-ADPermission cmdlet, you might get an error message saying Access is denied and insufficient access rights:



Active Directory operation failed on <domain_controller.domain.com>. This error is not retriable. Additional information: Access is denied. 
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException 
+ FullyQualifiedErrorId : 5557AD82,Microsoft.Exchange.Management.RecipientTasks.AddADPermission



This is because, by default, Exchange Trusted Subsystem is not granted the “modify permissions” permission. This causes the Add-ADPermission cmdlet to fail with an Access Denied error.


To resolve this problem, add the modify permissions permission for the Exchange Trusted Subsystem to the organizational unit that contains the Distribution Group:

  1. Open Active Directory Users and Computers;

  2. Click View, and then click Advanced Features;

  3. Right-click the OU that contains the distribution lists, and then click Properties;

  4. In the Security tab, click Advanced;

  5. In the Permissions tab, click Add;

  6. In the Enter object name to select box, type Exchange trusted subsystem, and then click OK;

  7. In the Object tab, select This object and all descendants objects in the Apply onto list, locate Modify Permissions in the Permissions list, and then set it to Allow;

  8. Click OK.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top