BlackBerry Forums Support Community

gloowee · 08-11-2009, 09:24 AM

Hi friends. Newbie to BES here.

I've setup BES 5.0 for Exchange 2007. I have experienced some issues that I'll work out with the help & suggestions in the other threads.

My question today is has anyone tried setting BES 5.0 up on a standalone server? Meaning, does the machine have to be a member of the domain? If so, what did you discover? Does it work?

The reason I ask this is because the BESAdmin account is running as a service and is also a domain admin. Since all domain computers trust the BES server because it's part of the domain, if someone got control of the BESAdmin account then that'd be game over.

skyman84 · 08-11-2009, 09:31 AM

Then why make the besadmin account a domain admin account?

penguin3107 · 08-11-2009, 09:36 AM

Quote:

Originally Posted by gloowee

the BESAdmin account is running as a service and is also a domain admin.

Why would you do this?

gloowee · 08-11-2009, 09:46 AM

I'm pretty sure the setup tutorial said to put the besadmin account in the group "administrators" at the domain level.

skyman84 · 08-11-2009, 09:48 AM

No no, the BESAdmin account needs to be a local admin on the BES server it's self only, not the domain.

It does need access to the mailfiles of the mail system your using, but as far as AD admin rights go, only local admin access to the server is sits on, and the ability to run as a service.

penguin3107 · 08-11-2009, 09:48 AM

Quote:

Originally Posted by gloowee

I'm pretty sure the setup tutorial said to put the besadmin account in the group "administrators" at the domain level.

No, it doesn't. The BES Service Account shouldn't be a Domain Admin.
It should be a local admin on the BES.

CanuckBB · 08-11-2009, 10:03 AM

Quote:

Originally Posted by gloowee

The reason I ask this is because the BESAdmin account is running as a service and is also a domain admin. Since all domain computers trust the BES server because it's part of the domain, if someone got control of the BESAdmin account then that'd be game over.

As other have said BESAdmin needs to be local admin.

And how is BESAdmin any different than 'Administrator'? The chances of somebody getting access to BESAdmin are no greater than Administrator.

usererror · 08-11-2009, 10:26 AM

I thought the besadmin account also had to be a member of the domain in order for it to do the "Send As" abilities on each user's account.

skyman84 · 08-11-2009, 10:29 AM

Wirelessly posted (Bold 9000)

The besadmin account must be a domain account, and have the sendas permissions, but it does not need to be added to the domain admin group. Just make sure its added locally to the admin group on the server.

gloowee · 08-11-2009, 10:31 AM

Check out module #2.

blackberry. com/ select/ toolkit/ 02.shtml#

Should the besadmin account also be a local admin on the Exchange server in order to get access to other peoples mailbox?

penguin3107 · 08-11-2009, 10:58 AM

Quote:

Originally Posted by gloowee

Check out module #2.

blackberry. com/ select/ toolkit/ 02.shtml#

Should the besadmin account also be a local admin on the Exchange server in order to get access to other peoples mailbox?

You seem to be really confused about permissions assigned to the BES service account.
This should clear things up for you:
KB02276 - Assigning permissions for a BlackBerry Enterprise Server service account - Port3101.org : Your BES Connection

Follow that KB article and you should be fine.

MarshBklyn · 08-11-2009, 11:02 AM

Quote:

Originally Posted by gloowee

Should the besadmin account also be a local admin on the Exchange server in order to get access to other peoples mailbox?

No. Only Exchange View Administrator within exchange. Also, send, receive, and administer store permissions as well.

gloowee · 08-11-2009, 11:32 AM

Thank you. I followed your instructions to the letter and all was good. Still having issues that I'll search the forums for help on.

BlackBerry Forums Support Community

Bes On A Standalone Server