Couldn't resolve the user or group "User Name." If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

afzal · 12 January 2020 22:00

Hello,

I have a 2016 on premises Exchange environment. One domain, one forest.
I am trying to add a domain user to a distribution group with “Send As” permissions and I am getting the following error:

Couldn’t resolve the user or group “User Name.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

These distribution groups were moved from a previous version of exchange server 2013. However, this symptom occurs even with newly created groups on the 2016 server environment. I have no issues adding a user with “Send As” permissions to a mailbox. This only happens with distribution groups.

Thanks

umer · 13 January 2020 23:57

Hi,

Do these distribution groups been moved from the previous version Exchange server?

What’s the command you used to assign the Send As permission and Send On Behalf permission?

You can try to run the following command to assign the send as permission of the distribution group to the user:

Add-ADPermission -Identity -User -ExtendedRights “Send As”

Note that the Identity parameter requires you to use the Name or DistinguishedName value of the group, you can get the value through the following command:

Get-Recipient -Identity | FL Name,DistinguishedName

You can also try to add the permission from Active Directory Users and Computers, test if the permission could be added successfully:
Start Active Directory Users and Computers>>check Advanced Features from View>>find the related group from OU and right-click>>choose properties>>security tab>>add the user and choose the send as permission>>OK

tjnihal · 16 March 2020 14:20

Hi,

What’s the exact version of your Exchange server?

Have you typed the correct email address of the distribution group on “From” when sending mails?

Please check if the Send As permission has been assgined successfully with the following command:

Get-ADPermission -Identity <GroupName> | where {$_.ExtendedRights -like 'Send*'} | Format-Table -Auto User,Deny,ExtendedRights

If the permission is assigned successfully, you can try to restart the Exchange Information Store service from services page, then test if you still get this error:

Thanks

Mr.Robot · 21 March 2020 13:30

You can also try to add the permission from Active Directory Users and Computers, test if the permission could be added successfully:
Start Active Directory Users and Computers>>check Advanced Features from View>>find the related group from OU and right-click>>choose properties>>security tab>>add the user and choose the send as permission>>OK

Thanks

harmen · 22 March 2020 17:47

Hi @afzal,

If you still need the help on this issue please follow the below steps:

Issue Symptom

The environment is Exchange 2016, one domain and one forest.

When try to add a user to a distribution group with Send As permissions through ECP and Powershell, would get the error: Couldn’t resolve the user or group. If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

Try with multiple distribution groups and multiple user accounts but all scenarios would get this error.
But there is no issue when adding a user with Send As permission to a mailbox.

Suggestions

Try to add the permission from Active Directory Users and Computers, test if the permission could be added successfully: Start Active Directory Users and Computers>>check Advanced Features from View>>find the related group from OU and right-click>>choose properties>>security tab>>add the user and choose the send as permission>>OK

If you add the permission successfully, but get error when send message with this permission, please check if the Send As permission has been assgined successfully:

Get-ADPermission -Identity <GroupName> | where {$_.ExtendedRights -like 'Send*'} | Format-Table -Auto User,Deny,ExtendedRights

If the permission is assigned successfully, you can try to restart the Exchange Information Store service from services page, then test again.

Thanks

Palmer · 28 November 2020 06:34

Configuring “send as” permissions is not difficult at all in the Windows active directory server. You can do this in two ways to grant the permissions.

Grant send as permissions to a mailbox user (eg, Grant Afzal permission to send as “Payroll Team”)
Grand send as permissions to a universal security group (eg grant “Payroll Team Leaders” permission to send as “Payroll Team”)

Simply open the properties of the group, switch to the Security tab, add the mailbox user or group, and then tick the Send As box and apply the change. This way you can grant the permissions by using Active Directory Users & Computers.

Alexa · 16 July 2023 15:49

Other fellow memebers have done a good job pointing the OP on the right directions. I would like to include some additional point from my end so that I will helpful for something who might look for this solution for this error.

If I were you I would first check the following in order to fix this error:

Make sure that the user you are trying to add is a valid user in the other forest.
Make sure that the two forests have a trust relationship.
Make sure that the user has “Send As” permissions for the distribution group.
Check the event logs for any errors that might be related to the trust relationship.
The user’s account may be disabled.
The user’s mailbox may be full.
The user may not have the correct permissions to send mail as the distribution group.
Restart the Exchange services on both forests.
Recreate the trust relationship.

I hope this helps!