BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 06-27-2008, 09:56 AM   #1 (permalink)
New Member
 
Join Date: Jun 2008
Model: 8700G
PIN: N/A
Carrier: T-Mobile
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Limiting BES Admin Access By OU

Please Login to Remove!

Hi everyone,

We manage Exchange and BES for another company that has their AD structure broken down by OU so that each OU has its own administrator that has full rights over all the users under their respective OUs. We want to delegate rights to those administrators to add/remove users and reset enterprise activation passwords so they don't have to keep asking us for every BES change they wish to perform.

The customer's requirement is that the administrators only have BES admin access to their specific OU and not to any other OUs. Currently I don't see a way to do this on BES 4.1 SP5. In other words, even if we add someone to the Jr or Sr helpdesk roles, they will have access to reset BES passwords and add/remove users from other OUs as well as their own.

Is there a way we can make this happen? Or, if this isn't possible, is there a way we can log BES user additions/removals and password resets by administrators?
Offline  
Old 06-27-2008, 09:58 AM   #2 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jason331 View Post
Hi everyone,

We manage Exchange and BES for another company that has their AD structure broken down by OU so that each OU has its own administrator that has full rights over all the users under their respective OUs. We want to delegate rights to those administrators to add/remove users and reset enterprise activation passwords so they don't have to keep asking us for every BES change they wish to perform.

The customer's requirement is that the administrators only have BES admin access to their specific OU and not to any other OUs. Currently I don't see a way to do this on BES 4.1 SP5. In other words, even if we add someone to the Jr or Sr helpdesk roles, they will have access to reset BES passwords and add/remove users from other OUs as well as their own.

Is there a way we can make this happen? Or, if this isn't possible, is there a way we can log BES user additions/removals and password resets by administrators?
Welcome!

What you're looking to do can't be done with roles or through the BlackBerry Manager.

Your best bet would be to build a web app or some other app using the BlackBerry Resource Kit User Administration Service / Client, and taking the security model out of the realm of BES and putting the onus on AD Groups / Permissions.
Offline  
Old 06-27-2008, 10:14 AM   #3 (permalink)
New Member
 
Join Date: Jun 2008
Model: 8700G
PIN: N/A
Carrier: T-Mobile
Posts: 2
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

That's what I thought... bummer.

How about at least logging password resets and user additions/removals?
Offline  
Old 06-30-2008, 07:00 AM   #4 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jason331 View Post
That's what I thought... bummer.

How about at least logging password resets and user additions/removals?
I wish I could say the BRK Tool AdminHistory.exe would do this for you but it really won't ...

Your best bet to effectively manage this would be to setup / build an application to do it for you.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.