Having read some other posts on setting "send as" permissions on my user accounts, I get the blackberry to be able to both send and receive - for a while.
After a number of hours though (seems to happen within 12), the ability to send e-mails dies. Looking back on the server, it appears that the send as permissions I've loaded in Active Directory have somehow unset themselves.
I've tried manually entering them twice (works, then unsets) and have downloaded the SetSendAsPermission.exe tool and used it sucessfully twice (works then unsets).
Is there another way around this problem to get this fixed?
(One odd thing, that may or may not be relevant - in active directory, the user I'm trying to set up appears in the root of the directory, at the same level as the "users" subdirectory.)
Last edited by monkeyhanger; 08-15-2007 at 01:33 AM..
I would recommend NOT modifying the AdminSDHolder object, but rather not adding users that are in these special groups to the BES and only having user-level accounts on the BES.
I'm a little confused by some of the terminology but I think I understand this now.
The user is a member of the Administrators and Domain Admins groups. As I understand it, AdminSdHolder is a thread which resets security information on certain priveledged accounts.
The solutions I believe I have are:
1) to remove membership of these groups from the user or
2) to use dsacls.exe to modify something - I'm not entirely clear what - that either modifies the behavior of AdminSdHolder or modifies the default security information for priveledged accounts.
(Please correct me if I've got this wrong)
I'm going to try 1) first (probably this evening) - my only concern is that the relevant user does need to be able to perform some priveledged tasks like installing their own software, running Windows Update, installing printers etc. There may be knock on effects that I'm currently unaware of which would crop up if I make these changes for them.
Option 2) sounds like its considered bad-practice and weakens security - by what degree, I can't tell. If option 1 is a non-starter, I'll have to give this a go.
I've removed membership of all admin groups for this user (Administrator, Domain Admin and Schema Admin) and "Send As" permissions seem to be holding up. The only downside is that the user needs to log in to their PC as an admin account if they need to do any installs or updates which affect system files.
That would be exactly it. You can make the user an Administrator on their computer; they just can't be a member of those Domain level groups. I have 2 accounts hdawg and megasuperduperuberslickhdawg ... one I pretend to be a user and one I live the life of a mega h4x0r. ... besides its best practice to do this; and you were right on to not modify AdminSDHolder; bravo, good troubleshooting, and glad its workin for ya!