Jimmy, Welcome to BBF!
1) Remove BESAdmin as Domain Admin. BES Admin should NEVER BE A MEMBER OF THE GROUP DOMAIN ADMINS
. THIS IS THE CASE EVEN IF YOU INSTALL BES ON A DOMAIN CONTROLLER
. Sorry for the caps, just wanted to make that clear.
2) Accounts that are a Member of Domain Admins or other protected groups should NOT be BES users ... Read about AdminSDHolder
You could make modifications to Active Directory default configuration to make this work, but I would recommend against doing that, and instead following the principle of least privilege
, whereas your boss uses a USER level account for his USER level functions such as reading, processing email, logging in, printing, etc ... and uses a separate distinct administrator level account for administration functions.
The reason he is getting the Red X, is because the AdminSDHolder process/function within Active Directory is removing
the BESAdmin's account the ability to "Send As" him, because he is a Member of one of the protected groups listed (Domain Admins).
Again ... don't change AD, but rather change his account and follow security best practice.