BlackBerry Forums Support Community

BlackBerry Forums Support Community (http://www.blackberryforums.com/)
-   BES Admin Corner (http://www.blackberryforums.com/bes-admin-corner/)
-   -   Important: Microsoft Software Update for May 9th, 2006 and Impact on BES (http://www.blackberryforums.com/bes-admin-corner/34595-important-microsoft-software-update-may-9th-2006-impact-bes.html)

jnelson2000 05-08-2006 09:16 PM

Important: Microsoft Software Update for May 9th, 2006 and Impact on BES
 
Latest email from RIM sent tonight. Sorrry if duplicate.

Dear Customer,

In line with Microsoft's Security Update Advisor monthly patch update (http://www.microsoft.com/technet/sec.../advance.mspx), they have plans on releasing a patch on May 9, 2006 for Exchange 2000 Server and Exchange Server 2003. If you are planning on installing this update, it's important to note that this update affects user mailbox permissions by revoking the 'Send As' permission in Exchange which has an impact on third party products such as BlackBerry Enterprise Server for Microsoft Exchange. Once applied, this update will prevent users on BlackBerry Enterprise Server from sending email from a BlackBerry or BlackBerry-enabled device.

Recommended Resolution
RIM, in conjunction with Microsoft, has provided configuration settings that must be implemented to enable BlackBerry users to continue sending messages. Microsoft is recommending modifying permissions in Active Directory as outlined in the following public-facing Microsoft KBA:
http://support.microsoft.com/kb/912918

BlackBerry Technical Support Knowledge Base Article with general information about this change can be found here:
http://www.blackberry.com/knowledgec...66052&vernum=8

Before applying this Microsoft Software Update, RIM recommends that Administrators review these two Knowledge Base articles and take any necessary steps appropriate for their environment. Please contact [email address] if additional support is required for this as it applies to BlackBerry Enterprise Server.

BBAdmin 05-09-2006 09:06 AM

I've been looking at this today. It would seem when you send an email RIM take ownership of it and hense it doesn't originate where it appears to have (the users email address). This must make it look like SPAM. I can see why MS have implemented such a change, and it will certainly be beneficial in combatting unwated SPAM (which even a small company like ours spends thousands a year trying to cut unwanted mails out), but annoying it has a knock on effect on the BES.

As another thought I bet this has an effect on BlackBerry Internet Mail as well where users will have changed the 'Sent From' address on their BlackBerry webmail interface. I can see emails potentially getting bounced back in these instances to, although you would think RIM would have mentioned this. Perhaps I'm mistaken!

wibbly 05-09-2006 09:41 AM

Quote:

Originally Posted by BBAdmin
I bet this has an effect on BlackBerry Internet Mail as well where users will have changed the 'Sent From' address

I would like to understand the implication of this too.

Does it affect

- Outlook users receiving mail from BB's on a BIS?
- Outlook users on Exchange receiving mail from BB's on a BIS?

MrFace 05-09-2006 01:04 PM

What if you aren't running AD? How do I get around this?

richardsbd 05-09-2006 01:17 PM

Quote:

Originally Posted by MrFace
What if you aren't running AD? How do I get around this?

If you are not runnig AD, then what OS and version are your Domain Controllers and Exchange server(s)?

[edit]There is always the option to NOT install the patch...

Trugoy 05-09-2006 01:25 PM

If you're not running AD, then you aren't running Exchange 2000 or 2003 and the patch doesn't apply to you.

Khue 05-09-2006 01:55 PM

Good stuff, thank you for the post.

GT! 05-09-2006 10:03 PM

I don't think the instructions posted on blackberry.com will work unless all of your users are under the 'users' OU in AD. I think it would be better to apply the 'send as' permission at the root of the domain. Comments?

jibi 05-09-2006 10:06 PM

Quote:

Originally Posted by GT!
I don't think the instructions posted on blackberry.com will work unless all of your users are under the 'users' OU in AD. I think it would be better to apply the 'send as' permission at the root of the domain. Comments?

If you aren't constrained and don't mind every user being subject to that permission, then why not - it'd definitely be easier than running and maintaining a damn sorry script provided by Microsoft. The Users object refers to "(objectClass=Users)" which is any AD object marked as a user. It states to repeat the steps for all OUs that are applicable (not sure if this is necessarily a good idea, as it would give unnecessary access to non-applicable users unless you group BlackBerry users together in their own OU). I suppose if the service account has permissions to the CEO, President, every EVP and SVP, every Director, etc., then it likely won't mean all that much to allow it permissions on Joe Random, either... :-)

jibi 05-09-2006 10:11 PM

Quote:

Originally Posted by BBAdmin
As another thought I bet this has an effect on BlackBerry Internet Mail as well where users will have changed the 'Sent From' address on their BlackBerry webmail interface. I can see emails potentially getting bounced back in these instances to, although you would think RIM would have mentioned this. Perhaps I'm mistaken!

It wouldn't. It only prevents users within an Exchange environment from sending as another user or service account or shared mailbox or whatever if that permission wasn't applied.

What doesn't make sense, in my opinion, is why we would set implicit 'Send As' permissions in Exchange at the Store level and it wouldn't be applicable to the individual accounts that reside within that Store. Leave it to Microsoft to put the same damn permissions in 10 different places.

I just wish that RIM would update their installation instructions at some point to make room for a different fix. This is a lot of work, in my opinion, for the casual administrator - especially on larger rollouts, this is HIGHLY unacceptable (no fault to RIM short of not relaying this to users MONTHS ago when they first wrote their KB article and coming up with an appropriate workaround/procedure change).

FlemmingRiis 05-10-2006 08:56 AM

Quote:

Originally Posted by richardsbd
If you are not runnig AD, then what OS and version are your Domain Controllers and Exchange server(s)?

[edit]There is always the option to NOT install the patch...

there are a few migrating factors but its not recomended not to install the patch

willie44 05-10-2006 05:25 PM

I am following the instructions in KB-04707 on BB's site. After I set up the permissions on the OU, will any new account or any account moved into that OU have updated permissions too? Or Will I have to set the permissions on the OU after each new account is created.

thanks

costonbw 05-10-2006 05:50 PM

I got Hosed...
 
Last night we accidentally deployed the evil patch. Now no one can send. All of our user are organized in OU's under a root OU named "User Roles". I granted the "Send As" permission at the "User Roles" level, but still no one can send. I just called Blackberry, and they say it may take 2 hours for the setting to take place, and if anyone tries to send a message the 2 hours resets. This doesnt sound right to me. The longest polling intervals I can think of are only about 15 minutes long. Any thoughts?

Also, I'm looking through AD, and I notice that the right does not appear to be applied to my user, but it is applied to the OU my user lives in. This seems odd. Thoughts?

I'm trying to avoid burning a incident with Microsoft on this...

markerman 05-10-2006 06:28 PM

Inherit
 
Quote:

Originally Posted by willie44
I am following the instructions in KB-04707 on BB's site. After I set up the permissions on the OU, will any new account or any account moved into that OU have updated permissions too? Or Will I have to set the permissions on the OU after each new account is created.

thanks

Each object placed in the OU will inherit the permissions set on the OU unless inheritance is explicitly disabled on an object.

markerman 05-10-2006 06:34 PM

Quote:

Originally Posted by costonbw
Last night we accidentally deployed the evil patch. Now no one can send. All of our user are organized in OU's under a root OU named "User Roles". I granted the "Send As" permission at the "User Roles" level, but still no one can send. I just called Blackberry, and they say it may take 2 hours for the setting to take place, and if anyone tries to send a message the 2 hours resets. This doesnt sound right to me. The longest polling intervals I can think of are only about 15 minutes long. Any thoughts?

Also, I'm looking through AD, and I notice that the right does not appear to be applied to my user, but it is applied to the OU my user lives in. This seems odd. Thoughts?

I'm trying to avoid burning a incident with Microsoft on this...

Check the permission settings and make sure it is applied to "User Objects". I applied it to my domain and checked a few random user objects in various OUs and the permission has been inherited on down the line. It's not likely that installing the update is effecting the inheritance.

bbmann5k+ 05-10-2006 06:44 PM

You should have a DomainUsers group in your Users container, which has everyuser in your org as members, then add the BESAdmin account or a BESAdmins Group account if you have multiples, then assign the permissions as given in the RIM kb. Then in additions you may need to add the permission directly to the Users container and each OU/Users container.

This is what works my testing.

bbmann5k+ 05-10-2006 06:46 PM

RIM is correct about waiting up to 2 hours .... it depends on your environment.

Trugoy 05-10-2006 07:32 PM

Quote:

Originally Posted by jibi
What doesn't make sense, in my opinion, is why we would set implicit 'Send As' permissions in Exchange at the Store level and it wouldn't be applicable to the individual accounts that reside within that Store. Leave it to Microsoft to put the same damn permissions in 10 different places.

Granting "Send As" at the store level grants permission to send as the database itself. Not sure why anyone would want to do that, but that's what that permission is for.

pmontana 05-10-2006 07:42 PM

Also, Microsoft has changed the KB article that references this patch about 8 times. Back on rev 5.1 it was only 3 pages and now it's up to version 8 and 16+ pages. Two revisions today alone. Search the MS Knowledgebase for KB912918.

Back on version 5.1 of the doc, it lists the DSACLS command which can be used at the OU level to set the Send As permission. This was taken out of future revs but according to our MS rep is still a viable fix so you don't have to specifically set permissions on a per mailbox level.

costonbw 05-10-2006 08:41 PM

Quote:

Originally Posted by costonbw
Last night we accidentally deployed the evil patch. Now no one can send. All of our user are organized in OU's under a root OU named "User Roles". I granted the "Send As" permission at the "User Roles" level, but still no one can send. I just called Blackberry, and they say it may take 2 hours for the setting to take place, and if anyone tries to send a message the 2 hours resets. This doesnt sound right to me. The longest polling intervals I can think of are only about 15 minutes long. Any thoughts?

Also, I'm looking through AD, and I notice that the right does not appear to be applied to my user, but it is applied to the OU my user lives in. This seems odd. Thoughts?

I'm trying to avoid burning a incident with Microsoft on this...


I've done some more testing and discovered that what I did with the Send As permission DID fix the problem for normal users. But there are four of us in IT who's mailboxes are on accounts that also have Domain Administrator rights, and the permission was blocked from our accounts. We've made some changes, and removed domain admin from all those accounts, but the Send As right is still not being inherited. I even tried granting it explicitly on one account and mails are still bouncing.

Anyone have any ideas?


All times are GMT -5. The time now is 09:02 AM.

Powered by vBulletin® Version 3.6.12
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.