{"id":100827,"date":"2026-04-09T20:48:49","date_gmt":"2026-04-09T18:48:49","guid":{"rendered":"https:\/\/dyb.fr\/?p=100827"},"modified":"2026-04-09T20:48:50","modified_gmt":"2026-04-09T18:48:50","slug":"pourquoi-un-compte-admin-peut-bloquer-lenvoi-smtp-sur-exchange-admincount-1","status":"publish","type":"post","link":"https:\/\/dyb.eu\/blog\/pourquoi-un-compte-admin-peut-bloquer-lenvoi-smtp-sur-exchange-admincount-1\/","title":{"rendered":"Pourquoi un compte admin peut bloquer l\u2019envoi SMTP sur Exchange (adminCount = 1)"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Dans certains environnements Exchange, il arrive qu\u2019un utilisateur puisse se connecter en SMTP, s\u2019authentifier correctement\u2026 mais se fasse refuser l\u2019envoi avec une erreur :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">550 5.7.60 SMTP; Client does not have permissions to send as this sender<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Ce comportement est souvent d\u00e9routant, car :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>l\u2019authentification fonctionne<\/li>\n\n\n\n<li>le compte existe<\/li>\n\n\n\n<li>l\u2019adresse exp\u00e9diteur est correcte<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Dans beaucoup de cas, la cause est li\u00e9e \u00e0 un attribut Active Directory peu connu : <strong><code>adminCount<\/code><\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Le sympt\u00f4me typique<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dans un sc\u00e9nario classique :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SMTP AUTH en 587 fonctionne<\/li>\n\n\n\n<li>TLS fonctionne<\/li>\n\n\n\n<li>le login passe (<code>235 Authentication successful<\/code>)<\/li>\n\n\n\n<li>mais l\u2019envoi \u00e9choue au moment du <code>DATA<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Exemple r\u00e9el :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">550 5.7.60 SMTP; Client does not have permissions to send as this sender<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Et pourtant, avec un autre utilisateur standard\u2026 tout fonctionne imm\u00e9diatement.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">La cause : <code>adminCount = 1<\/code><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dans Active Directory, certains comptes sont consid\u00e9r\u00e9s comme <strong>sensibles<\/strong> (administrateurs, op\u00e9rateurs, etc.).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Quand un compte appartient (ou a appartenu) \u00e0 un groupe privil\u00e9gi\u00e9, AD applique :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>adminCount = 1<\/code><\/li>\n\n\n\n<li>une protection via <strong>AdminSDHolder<\/strong><\/li>\n\n\n\n<li>la d\u00e9sactivation de l\u2019h\u00e9ritage des permissions<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udc49 R\u00e9sultat : les ACL normales ne s\u2019appliquent plus correctement.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Pourquoi \u00e7a casse SMTP<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Exchange s\u2019appuie fortement sur les permissions AD pour valider l\u2019exp\u00e9diteur.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Avec un compte prot\u00e9g\u00e9 :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>certaines permissions implicites ne sont plus pr\u00e9sentes<\/li>\n\n\n\n<li>les droits effectifs deviennent incoh\u00e9rents<\/li>\n\n\n\n<li>Exchange refuse l\u2019envoi avec une erreur <code>Send As<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udc49 M\u00eame si :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>le compte est valide<\/li>\n\n\n\n<li>l\u2019adresse est correcte<\/li>\n\n\n\n<li>l\u2019authentification est OK<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Comment d\u00e9tecter le probl\u00e8me<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">V\u00e9rifier <code>adminCount<\/code><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-ADUser utilisateur -Properties adminCount | Select Name,SamAccountName,adminCount<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">R\u00e9sultat probl\u00e9matique :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">adminCount : 1<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">V\u00e9rifier les groupes<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-ADPrincipalGroupMembership utilisateur | Select Name<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Surveille notamment :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Domain Admins<\/li>\n\n\n\n<li>Enterprise Admins<\/li>\n\n\n\n<li>Administrateurs<\/li>\n\n\n\n<li>Server Operators<\/li>\n\n\n\n<li>Print Operators<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Pourquoi \u00e7a arrive m\u00eame apr\u00e8s avoir quitt\u00e9 un groupe admin<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">C\u2019est un point cl\u00e9 :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udc49 <strong><code>adminCount<\/code> ne revient pas automatiquement \u00e0 0<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">M\u00eame si tu retires l\u2019utilisateur des groupes admin :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>l\u2019attribut reste \u00e0 <code>1<\/code><\/li>\n\n\n\n<li>les ACL restent fig\u00e9es<\/li>\n\n\n\n<li>le probl\u00e8me persiste<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Solutions<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Option 1 \u2014 La bonne pratique (recommand\u00e9e)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udc49 <strong>Cr\u00e9er un compte d\u00e9di\u00e9 pour SMTP<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Exemple :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>smtp-app@dyb.fr<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Avantages :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pas de d\u00e9pendance aux comptes admin<\/li>\n\n\n\n<li>pas d\u2019effet de bord AD<\/li>\n\n\n\n<li>plus s\u00e9curis\u00e9 (principe du moindre privil\u00e8ge)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Option 2 \u2014 Corriger le compte existant<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Si tu veux r\u00e9utiliser le compte :<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1. Retirer des groupes privil\u00e9gi\u00e9s<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-ADPrincipalGroupMembership utilisateur<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">2. Remettre <code>adminCount<\/code> \u00e0 0<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">Set-ADUser utilisateur -Clear adminCount<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">3. R\u00e9activer l\u2019h\u00e9ritage (important)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Dans <strong>Active Directory Users and Computers<\/strong> :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Onglet <strong>Security<\/strong><\/li>\n\n\n\n<li><strong>Advanced<\/strong><\/li>\n\n\n\n<li>Activer <strong>Enable inheritance<\/strong><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">4. Attendre \/ forcer la r\u00e9plication AD<\/h4>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">R\u00e9sum\u00e9<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u00c9l\u00e9ment<\/th><th>Impact<\/th><\/tr><\/thead><tbody><tr><td><code>adminCount = 1<\/code><\/td><td>compte prot\u00e9g\u00e9<\/td><\/tr><tr><td>AdminSDHolder<\/td><td>bloque h\u00e9ritage des permissions<\/td><\/tr><tr><td>Exchange SMTP<\/td><td>peut refuser l\u2019exp\u00e9diteur<\/td><\/tr><tr><td>Sympt\u00f4me<\/td><td><code>550 5.7.60 Send As denied<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Recommandation DYB<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Pour tous les usages applicatifs (scripts, outils, CI\/CD, etc.) :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udc49 <strong>Toujours utiliser un compte technique d\u00e9di\u00e9<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ne jamais utiliser :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>un compte admin<\/li>\n\n\n\n<li>un compte utilisateur critique<\/li>\n\n\n\n<li>un compte ayant appartenu \u00e0 un groupe privil\u00e9gi\u00e9<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Le probl\u00e8me ne vient pas toujours d\u2019Exchange.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Dans ce cas pr\u00e9cis, c\u2019est <strong>Active Directory qui modifie silencieusement les permissions<\/strong>, ce qui impacte directement le fonctionnement SMTP.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udc49 Si un SMTP AUTH fonctionne avec un user et pas un autre :<br>pense imm\u00e9diatement \u00e0 <strong><code>adminCount<\/code><\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dans certains environnements Exchange, il arrive qu\u2019un utilisateur puisse se connecter en SMTP, s\u2019authentifier correctement\u2026 mais se fasse refuser l\u2019envoi avec une erreur : 550 5.7.60 SMTP; Client does not have permissions to send as this sender Ce comportement est souvent d\u00e9routant, car : Dans beaucoup de cas, la cause est li\u00e9e \u00e0 un attribut [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":100829,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[28],"class_list":["post-100827","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-adminsys","tag-windows"],"_links":{"self":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/100827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/comments?post=100827"}],"version-history":[{"count":1,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/100827\/revisions"}],"predecessor-version":[{"id":100828,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/100827\/revisions\/100828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media\/100829"}],"wp:attachment":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media?parent=100827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/categories?post=100827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/tags?post=100827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}