Appendix A: Using the Add-AdPermission TaskThe Add-AdPermission task can be used to grant individual permissions. This command should not be used commonly to manage Transport Permissions, but there are 2 rare but valid cases that I can think of: 1) Establishing cross forest mailflow 2) Accept anonymous email from the Internet, from an authoritative domain I’ll use case 2) as 1) has been detailed in the product documentation. Suppose a company with an authoritative domain called “contoso.com”. Typically such a company would not want to accept email from the Internet if the sender has an address @contoso.com. However there might be some organizations that want to allow this. By default, the Edge role does not allow anonymous (unauthenticated) sessions to submit from any authoritative domain. In other words, by default receive connectors on an Edge server do not grant the ‘ms-Exch-SMTP-Accept-Authoritative-Domain-Sender’ permission to ‘Anonymous’. If the name of the receive connector is ‘Default EDGEB42’ you can use the following command: add-adpermission 'Default EDGEB42' -User 'NT AUTHORITY\ANONYMOUS LOGON' -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
Another often requested example is to allow anonymous sessions to submit messages through SMTP to a Hub server. The command would be: add-adpermission 'Default EDGEB42' -User 'NT AUTHORITY\ANONYMOUS LOGON' -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-Bypass-Anti-Spam
Identity User AccessRights IsInherited Deny -------- ---- ------------ ----------- ---- EDGEB42\Default E... NT AUTHORITY\ANON... {ExtendedRight} False False EDGEB42\Default E... NT AUTHORITY\ANON... {ExtendedRight} False False EDGEB42\Default E... NT AUTHORITY\ANON... {ExtendedRight} False False
The same thing could have been accomplished using the PermissionGroups property (or argument) of the set-receiveconnector command: set-receiveconnector 'Default EDGEB42' PermissionGroups:"ExchangeUsers,ExchangeServers,ExchangeLegacyServers,AnonymousUsers"
| 
