BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 04-10-2008, 05:42 PM   #1 (permalink)
Knows Where the Search Button Is
 
big.phil's Avatar
 
Join Date: Jan 2008
Location: Seattle
Model: Gnex
PIN: varchar
Carrier: VZW (Galaxy Nexus)
Posts: 33
Post Thanks: 0
Thanked 0 Times in 0 Posts
Question Domain Admins, Send As issues...

Please Login to Remove!

Hey everyone! I just wanted to get everyone elses thoughts on the famous "Send As" issue. heres the rundown > I applied SP5 to my BES servers that is running on Exchange 2003 sp2 and once i did that any of my users that are in the "Domain Admins" etc. groups we can no longer send messages. so i have researched the issue quite a bit the last day now and have a work around i have put in place for several of us, including me. I just wanted to double check with everyone that this is the correct way of going about solving this issue. I dont know why this is just hitting us as it seems it should have when the MSFT patch came out a long time ago, but anyways....here is the process that I did.


1. Close Outlook
2. In ADUC right click on your account > Exchange Tasks > delete mailbox
3. When your mailbox is deleted, right click on your account > Copy
4. Create your new account with your name but append the word “Mailbox” to the last name field, and the username should be something like “PnunnMailbox” > DO NOT CREATE A MAILBOX ON THIS NEW ACCOUNT!
5. When the new account is created > open the properties for it > “Member Of” tab > remove the new account from ALL security groups EXCEPT “Domain Users” and keep all distribution lists memberships intact
6. Call me/email me and I will run the cleanup agent on the Exchange Server mailbox store and reconnect your deleted mailbox to your new account
7. Change the “DisplayName” attribute on your new account to be your full name and change the “Alias” attribute to be your mailcode
8. Transfer any fax and phone numbers over from your old account to your new one being sure to delete them from your old account
9. Once the Exchange Recipient Policy has run and your new account is populated with email address, check the “Email Addresses” tab and edit all of the addresses to reflect your correct email address
10. On your new account open the “Mailbox Rights” button from the “Exchange Advanced” tab and add your OLD account into the ACL and grant it “Full mailbox access”
11. Re-open Outlook

NOTES: It appears that you DO NOT have to remove your account from the BES for everything to work correctly, just the steps above. Only thing I have found that doesn’t work properly is during a send/receive task in outlook you may see the following error if you are in cached exchange mode > Task 'Microsoft Exchange' reported error (0x8004010F) : 'The operation failed. An object cannot be found.' This error seems to be related to the offline address book not being able to download. Here is a Microsoft article that applies to Exchange 2000 that describes the exact issue. The cause they state is exactly what we are doing, but they do not state anything about Exchange 2003 so we might have to live with it.

You may receive error messages when you try to download the Offline Address Book on behalf of another user in Exchange 2000 Server

Those are the steps i came up with. again..thanks for anyones help with this!
__________________
--------------------------
BES 5.0.3 MR1, Exchange 2007 SP3 RU5
435 devices
Offline  
Old 04-12-2008, 06:15 AM   #2 (permalink)
CrackBerry Addict
 
ashworth's Avatar
 
Join Date: Jun 2006
Location: Ontario, Canada
Model: 9000
OS: 4.6
Carrier: Rogers
Posts: 625
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I have never seen anyone do it the way MS tells us to do it. Good job!

I just removed the send as permissions on my domain admins within AD to fix it.
__________________
Cheers,
Ash


My BlackBerry GPS Golf Application | Mileage Calculator
Offline  
Old 04-17-2008, 06:52 AM   #3 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I can't think of a worse way of handling this issue ... maybe other than modifying the adminsdholder object. I'd recommend following both Microsoft's and RIM's recommendation and use the principle of least privilege ... create a user account for your BES account and have a separate administrative account.
Offline  
Old 04-17-2008, 06:58 AM   #4 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2007
Location: Spring, Texas
Model: 8830
PIN: N/A
Carrier: Sprint-Nextel
Posts: 25
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by hdawg View Post
I can't think of a worse way of handling this issue ... maybe other than modifying the adminsdholder object. I'd recommend following both Microsoft's and RIM's recommendation and use the principle of least privilege ... create a user account for your BES account and have a separate administrative account.
I agree. Its like that for a reason.

Plus, why are you logging in to you domain with domain admin privileges on a regular basis? Not a wise security decision.
Offline  
Old 04-17-2008, 11:30 AM   #5 (permalink)
Knows Where the Search Button Is
 
big.phil's Avatar
 
Join Date: Jan 2008
Location: Seattle
Model: Gnex
PIN: varchar
Carrier: VZW (Galaxy Nexus)
Posts: 33
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by hdawg View Post
I can't think of a worse way of handling this issue ... maybe other than modifying the adminsdholder object. I'd recommend following both Microsoft's and RIM's recommendation and use the principle of least privilege ... create a user account for your BES account and have a separate administrative account.
i agree that we should not be logging in with our regular domain admin rights, so i am clear about that issue. thanks.
__________________
--------------------------
BES 5.0.3 MR1, Exchange 2007 SP3 RU5
435 devices
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.