[costonbw]

It looks like my latest problem has to do with the AdminSDHolder and the fact that it sets the accounts security-descriptor is set not to inherit permissions from parent objects for members of certain administrative groups. Now that the groups are not administrators any more I've changed the security-descriptor to inherit permissions again and the "Send As" rights now flow to the accounts, but my test messages still fail. I'm thinking this may be a re-fresh issue now though.

What a mess...

[costonbw]

Quote:

Originally Posted by costonbw

It looks like my latest problem has to do with the AdminSDHolder and the fact that it sets the accounts security-descriptor is set not to inherit permissions from parent objects for members of certain administrative groups. Now that the groups are not administrators any more I've changed the security-descriptor to inherit permissions again and the "Send As" rights now flow to the accounts, but my test messages still fail. I'm thinking this may be a re-fresh issue now though.

What a mess...

Well, it turns out that AdminSDHolder does allot, and one of those things is to break rights inheritance for Administrator users. This is to protect important user accounts from being taken over users who have been delegated the change password right, etc. After fixing inheritance on the problem users and waiting the prerequisite 30 minutes everything works.

The moral of this story... never mail enable accounts with "Administrator" privilege.

[waynek]

We've not yet deployed the evil MS Exchange updates to our Exchange 2003 server yet, but plan on doing so this week. I'm a little confused as to which account needs to have the Send As permissions for our Blackberry user accounts. Is it the SERVICE account, or is it the account that is used to communicate between the Exchange Server & BES Server (ours is BESAdmin...i.e. is it the account listed in the MAPI profile of the Blackberry Server Configuration?)

[costonbw]

Quote:

Originally Posted by waynek

We've not yet deployed the evil MS Exchange updates to our Exchange 2003 server yet, but plan on doing so this week. I'm a little confused as to which account needs to have the Send As permissions for our Blackberry user accounts. Is it the SERVICE account, or is it the account that is used to communicate between the Exchange Server & BES Server (ours is BESAdmin...i.e. is it the account listed in the MAPI profile of the Blackberry Server Configuration?)

It's the BES Service Account, which is the account that was configured for the BES to talk to Exchange. It needs to, at a minimum, have "Send As" on all the Blackberry users accounts. The Blackberry Knowledgebase Article has more info.

[waynek]

Quote:

Originally Posted by costonbw

Well, it turns out that AdminSDHolder does allot, and one of those things is to break rights inheritance for Administrator users. This is to protect important user accounts from being taken over users who have been delegated the change password right, etc. After fixing inheritance on the problem users and waiting the prerequisite 30 minutes everything works.

The moral of this story... never mail enable accounts with "Administrator" privilege.

Can you please explain to me what you changed so that those users who are affected by the AdminSDHolder could send mail again from the BB again?

[costonbw]

Quote:

Originally Posted by waynek

Can you please explain to me what you changed so that those users who are affected by the AdminSDHolder could send mail again from the BB again?

I removed the users from the affected groups (Domain Admins's, etc) and then re-enabled Permission Inheritance for the user. Then we had to create seperate non-mail-enabled administrator accounts for the affected users.

For more info on AdminSDHolder see AdminSDHolder - or where did my permissions go?

[gkbbadmin]

You can find more information about applying the send as permissions to admin accounts by using the dsacls command on the AdminSDHolder object. See the following link:

msexchangeteam.com/archive/2006/01/13/417440.aspx

Good luck.