03-26-2010, 06:59 PM
Knows Where the Search Button Is
Join Date: Jan 2007
Post Thanks: 0
Thanked 0 Times in 0 Posts
| | BES + Exchange 2010 (and 2k7 too) permissions
Please Login to Remove!
So, I have often wondered this, and never had it be a "problem" until now.
In the BES 5.x instructions, there is this step:
Type Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -
User "BESAdmin" -Identity "CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3 >"
Now, these instruction work, as long as you have all your users in the "Users" CN. At my employer, this needed to be replaced with OU=Employees instead, because that is where all the users are.
Now, I have a customer who has about 35 OU's off their root. Now, I can audit, and specifically set this permission at each OU.. I can also script and loop through the root OU's applying this permission..
However, if the customer add's another Root OU, they would need to re-run this permission. That's acceptable to some customers, but not all.
And if you try to run the above and apply to just DC=domain,DC=com, it errors out in a pretty non-descriptive manner.
Any feedback welcome.