[KeithWeldon]

Hello - first post, so try to be kind....

Running SBS2003 SP1 Premium (Exchange 2003 SP2, SQL Server 2000 SP4, ISA Server 2004).

Is it technically feasable to use the Administator account as the BES service account? Or is it just not advisable for security reasons?

Anyone have it working using the Administrator account without creating a BESAdmin account? I have it "working", but there are a few outstanding issues that need fixing.

So, just thought I would ask if what I am trying to do is even possible before I roll up my sleeves on the issues.

Thanks in advance.
Keith

[andidarmali]

Can you tell us what is the issue? Hopefully we can provide you with the right solution...

[d_fisher]

Why would you want to use the Administrator account. Best practice is to use the account with the least required rights to do the job, ie. BESAdmin.

[Dirky]

Quote:

Originally Posted by d_fisher

Why would you want to use the Administrator account. Best practice is to use the account with the least required rights to do the job, ie. BESAdmin.

I could not get things working properly when I used a BESAadmin account for the MAPI connection. There was some permission problems. I did some reading and adjusted permissions as suggested but could not get it working.
I tried with the Administrator account and it seems to work ok.

However I realise this may not be the best way to leave it running?

Mike

[DoomBringer]

I reccomend creating the user accounts like the manuals say (or used to say, at least... 3.6 specified a few user accounts to create and use)

[KeithWeldon]

Quote:

Originally Posted by andidarmali

Can you tell us what is the issue? Hopefully we can provide you with the right solution...

The only thing that doesn't work is Calendar sync, but only in one direction. The calendar syncs from Outlook to Handheld, but NOT from Handheld to Outlook.

The BES error log entries, associated with the MS event 20216 "Sync Failed" entries, clearly state "You do not have permission to log on", but I am at a loss as to where to look to resolve this permissions issue.

The BES is performing all the other syncs (contacts, tasks, notes) in both directions and sending and receiving mail on the handheld is flawless.

Given the MS critical updates of May 9 and how that impacted BES permissions, it seems that creating the separate BESAdmin account will end up being the best path to take.

So, even though I would love to resolve this one (so close, yet so far away), I think I will create the BESAdmin account and reinstall, while I still have the chance to do it before this Small Business Server goes into production.

Thanks,
Keith

[ld-runner]

i run BES under the domain admin account. no issues with me. my BES is running on a member server not hosting AD. I have zero issues. RIM told me I should change it, but did not tell me why. Only that it is prefered to do it that way. Supposedly, using the admin account could cause issues if you go over 100 users on BES. Since i have less than 15, i never made the change.

[Dirky]

Quote:

Originally Posted by KeithWeldon

The only thing that doesn't work is Calendar sync, but only in one direction. The calendar syncs from Outlook to Handheld, but NOT from Handheld to Outlook.

The BES error log entries, associated with the MS event 20216 "Sync Failed" entries, clearly state "You do not have permission to log on", but I am at a loss as to where to look to resolve this permissions issue.

The BES is performing all the other syncs (contacts, tasks, notes) in both directions and sending and receiving mail on the handheld is flawless.

Given the MS critical updates of May 9 and how that impacted BES permissions, it seems that creating the separate BESAdmin account will end up being the best path to take.

So, even though I would love to resolve this one (so close, yet so far away), I think I will create the BESAdmin account and reinstall, while I still have the chance to do it before this Small Business Server goes into production.

Thanks,
Keith

Hi Keith,
I had this error at first, I found some info which helped me fix it, I have the document at home (I printed it out!).
It was something to do with adjusting the permissions for the Administrator I seem to recall.

Mike

[meezerbean]

Quote:

Originally Posted by ld-runner

i run BES under the domain admin account. no issues with me. my BES is running on a member server not hosting AD. I have zero issues. RIM told me I should change it, but did not tell me why. Only that it is prefered to do it that way. Supposedly, using the admin account could cause issues if you go over 100 users on BES. Since i have less than 15, i never made the change.

I speak from experience. This is a BAD idea. If you get any corruption in your AD database you are screwed! I recently, last week, had this issue. ALL of my admin accounts were locked out due to security corruption. The besadmin account was the only account I could log in with. It was because it was not a member of the Domain Admins group. I was able to reset my security using a KB article from Microsoft (KB313222) Having the besadmin account at a lower security level kept me from having to restore from backup.

-James

P.S. I am running BES 4.0 SP4 on Windows Server 2003 SP2.

[ld-runner]

if my AD ever took a dump, I'd have bigger things to worry about than BES. lol. The issue with RIM is probably more about security than having a user account that you can log in with in the event of AD corruption.

[meezerbean]

Quote:

Originally Posted by ld-runner

if my AD ever took a dump, I'd have bigger things to worry about than BES. lol. The issue with RIM is probably more about security than having a user account that you can log in with in the event of AD corruption.

LOL, I agree, I did not mean to imply that that was their (RIM's) reasoning. It just was a good thing I did it "by the book." It saved my a** because it was the one account I could use. I am sure you are correct. You do not want the besadmin account or any account for that matter to have higher security than necessary as a best practice anyway.

-James

[KeithWeldon]

Everyone has been so helpful, I can't begin to thank you all enough.

I thought I would report back on my sucess at installing BES 4.1 Express on a Microsoft Small Business Server 2003 Premium Edition with SP1.

First, I restored the pre-production SBS to just before my ill fated attempt to use the Administrator's account as the BES service account.

Then, as outlined in Section 3 of the BES for MS Exchange Version 4.1 Installation Guide, I created a BESAdmin account with appropriate rights.

The install went as smooth as silk.

Then after adding BESAdmin to my handheld user's security settings to deal with Microsoft's sabotage, I deployed the handheld and voila! A typically wonderful BlackBerry experience.

Gotta just LOVE that BlackBerry Enterprise Server!!

Again, THANKS TO EVEYONE!!

Keith

P.S. anyone interested in a write up of the installation, which includes screen shots, just give me a holler and I would be happy to share.

[paul_griffiths]

Have IMed you Keith re: your guide

[fushwabo]

Hi,

I'd love to see a copy of your guide KEith - in particular the permission requirements for the Besadmin account pre BES install.

[Zro]

Just so you know, the reason you were getting permissions failures with the Administrator account is because Exchange denies send as/receive as to domain admins.

This is a very common issue. People put BESAdmin in the Domain Admins group and BES no workey. Take them out of Domain Admin and put in local Admin and Domain Users, works fine for setting send as/receive as permissions.

Zro

[fushwabo]

Hi,

Thanks for that - still having a problem with the installation.

All is ok untill i get to the [Database Setting] step, when it gets to create the db BESMgmt i get an error

"DB upgrade failed. Error executing an SQL statment"

And it lets me get no further - any ideas?

Quote:

Originally Posted by Zro

Just so you know, the reason you were getting permissions failures with the Administrator account is because Exchange denies send as/receive as to domain admins.

This is a very common issue. People put BESAdmin in the Domain Admins group and BES no workey. Take them out of Domain Admin and put in local Admin and Domain Users, works fine for setting send as/receive as permissions.

Zro

[|||||||]

You don't have system admin permissions over SQL most likely. What type of authentications are you using? Windows or SQL?

Quote:

Originally Posted by fushwabo

Hi,

Thanks for that - still having a problem with the installation.

All is ok untill i get to the [Database Setting] step, when it gets to create the db BESMgmt i get an error

"DB upgrade failed. Error executing an SQL statment"

And it lets me get no further - any ideas?

[fushwabo]

Hi,

Excuse me for being thick - how would i know that? I've just done a stanard install of BES with the new besadmin account as specified in the manual - unlike my preious install as admin this one stops with the error - how would i find out what kind of authentication i'm using?

regards

Quote:

Originally Posted by |||||||

You don't have system admin permissions over SQL most likely. What type of authentications are you using? Windows or SQL?

[blackberry1]

"DB upgrade failed. Error executing an SQL statment"

That error typically is displayed if the if the SQL data directory already has besmgmt.mdf and besmgmtlog.ldf created.Delete those files and try again
(Common when using MSDE)

If you are using SQL 2000/2005- Best way to go about giving permissions is to create a security login for the domain/besadmin account

Assign System and Server Admin
After the install is complete only dbowner is required

[fushwabo]

Thanks chap - that got it - was deleting the mdf file but not the ldf file - seems to be working now!

Many thanks again

Quote:

Originally Posted by blackberry1

"DB upgrade failed. Error executing an SQL statment"

That error typically is displayed if the if the SQL data directory already has besmgmt.mdf and besmgmtlog.ldf created.Delete those files and try again
(Common when using MSDE)

If you are using SQL 2000/2005- Best way to go about giving permissions is to create a security login for the domain/besadmin account

Assign System and Server Admin
After the install is complete only dbowner is required