Hi,

I'm running BES 4.1 on an SBS 2003 (Windows Server 2003/SP1) box with 10 users. I got a call from a user who reported that when he tried to send from his BB8830 he got a red x and the message "Desktop mail unable to submit message." I researched this and found several references to missing Send As permissions. I looked and discovered that half my BB users had BESAdmin listed under their Security Tabs in AD Users/Computers, and these users could send, but five users, including the complaining user, did not have BESAdmin listed under their Security Tabs in AD Users/Computers. Turned out that none of those five users could send messages. I added BESAdmin with Send As to all five users' Security Tabs, stopped the BES services, restarted the Exchange Information Store, restared BES, and all five could then send again.

However the next time I looked--about an hour later--BESAdmin was gone from all five, although they continue to be able to send.

The five users who did have BESAdmin listed under their AD Security Tabs continue to have BESAdmin listed, and I noticed that their BESAdmin Send As permissions are inherited.

Why does BESAdmin keep disappearing from the AD Security Tab of the other five? How can I make the missing five users' Security permissions look like the permissions of the "good" five?

Thanks in advance for any help/insight.

GaryK

Those particular problematic users are likely part of an AD group with elevated permissions. (Domain Admin?)

Read more here:
Unable to send email messages because the Send As permission has been revoked

[quote=soupandsandwich;1139948]Those particular problematic users are likely part of an AD group with elevated permissions. (Domain Admin?)



They are members of Domain Admin and Enterprise Admin. One of them is the Administrator, which needs to be a member of both.

[quote=gkarasik;1139953]As BES users, they can't (and shouldn't) be members of either group.
Very dangerous for an admin to running as an admin all the time. That's bad security practice.

You should be following the principle of least privilege.
Get them out of the special groups.

[quote=soupandsandwich;1139960]
I have removed both groups. When I check again later, both groups have been restored.

I don't understand what you're saying here.
Are you saying that you removed those users from the Domain Admin and Enterprise Admin group... but then they're mysteriously added back to those groups later?

Exactly.

Then someone is manually adding them back.
BES has absolutely no mechanism for adding users to AD groups.
Your problem lies outside of the BlackBerry world.

I can assure you that nobody is manually adding them back. I think it's a function of Active Directory.

Perhaps someone else has run into something similar and can offer a suggestion.

In the meantime, thanks for taking the time to try to help.

Same problem. I have had BPS Express running for the last 2 months. I installed it under my credentials and set up the MAPI profile using my mailbox, everything worked fine. I have the only Blackberry and our techs have Windows Mobile. We had a client who just bought a Curve and missed the Windows Mobile sync functionality. I went over to install BES (really Blackberry Professional Server) and after working through the security of the BESAdmin user her phone was working just fine. I took the time to re-install BPS using the correct method and I ended up in the same situation you are in with the five users.

We have a SBS 2003 Standard Server SP2 w/Exchange at SP2. We do not have the KB95949 hotfix. Soupandsandwich is correct, it is not a best practice to run as a Domain Admin your day to day account. My account was by virtue of the SBS add user wizard a Domain Admin. SBS lets us create user accounts using Server Management via a wizard. You choose administrator and SBS adds the appropriate domain groups to the users membership.

I ran the Change Permissions wizard and downgraded my rights to that of a Mobile User. I did not restart the Information Store or the BES services but waited for the refresh period that would typically remove the BESAdmin user's Send As permission and was able to send emails from my phone. No red X's. After 3 hours I am still able to send from the Blackberry.

Now, as far the admin groups coming back this is more than likely happening by the administrator. What I suggest is if you are responsible for the BES functions then offer create <username>-admin account (eg jdoe-admin), no Exchange mailbox, doing this with the AD Users and Computer MMC and unchecking the Exchange mailbox creation. Most admins have admin rights to their own PC and would then use the new account to log into the server. This is a best practice, I should have been following myself. If that works then downgrade the admins rights and their Blackberry's should be able to send.

I've got it sorted. Thanks very much.

GaryK

What was the resolution?

I took your advice and removed the user from all built-in groups and created a separate admin account for him. He was grumpy. I was very sympathetic. Without users, how would we make a living?

GaryK

You did the right thing.

Glad to hear that you were able to sort it out.

For future reference here is some supporting material that helped resolve my SBS related issue:

Unable to send email messages because the Send As permission has been revoked - Blackberry Support Doc ID: KB04707

How to install BES on MS SBS - Blackberry Support Doc ID: KB13242

The "Send As" right is removed . . . - Microsoft KB Article ID: 907434


--Sherlock