Any user can “Send on Behalf” with Exchange

Today I was instructed to help our company Systems Administrator with a problem of “Send on Behalf”. It appears that some users could send mails on behalf of other people, but those users didn’t have the rights set within the Exchange Admin Center, as seen in the screenshot below.

So, how is it possible that those users could still send mails on behalf of others in our organization? It looks like the problem resided in our migration path from Exchange 2003 to Exchange 2007 and a few years later to Exchange 2010 and we are in the beginning of a project to move over to Exchange 2013, if this even will happen for this year. In the years, some delegations are migrated over with Active Directory, but for some reason they are not showing up in newer versions of Exchange. So my first search was to lookup the Attributes of affected Objects in the Active Directory. And found that the problem is found in the Attribute “publicDelegates“, you’ll probably find your “Ghost Delegates” within here on the affected users. You can use Active Directory Users and Computers (dsa.msc) with Advanced Features on in the View menu or use ADSI Edit (adsiedit.msc) to find the Attributes, and remove/correct the Multi-valued string inhere.

But if your organization is large, you want to check every object in Active Directory for the value of the attribute. It is probably possible to check the settings with PowerShell, but couldn’t find a quick solution for this and didn’t have the rights to use this on this network. A quick search for this I could find AdFind from Joeware.net. With this command used:

We get a list with all users with one or more values in the publicdelegates.