BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 05-08-2006, 10:16 PM   #1 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Mar 2005
Location: Chicago
Model: 9000
Carrier: AT&T
Posts: 435
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Important: Microsoft Software Update for May 9th, 2006 and Impact on BES

Please Login to Remove!

Latest email from RIM sent tonight. Sorrry if duplicate.

Dear Customer,

In line with Microsoft's Security Update Advisor monthly patch update (http://www.microsoft.com/technet/sec.../advance.mspx), they have plans on releasing a patch on May 9, 2006 for Exchange 2000 Server and Exchange Server 2003. If you are planning on installing this update, it's important to note that this update affects user mailbox permissions by revoking the 'Send As' permission in Exchange which has an impact on third party products such as BlackBerry Enterprise Server for Microsoft Exchange. Once applied, this update will prevent users on BlackBerry Enterprise Server from sending email from a BlackBerry or BlackBerry-enabled device.

Recommended Resolution
RIM, in conjunction with Microsoft, has provided configuration settings that must be implemented to enable BlackBerry users to continue sending messages. Microsoft is recommending modifying permissions in Active Directory as outlined in the following public-facing Microsoft KBA:
http://support.microsoft.com/kb/912918

BlackBerry Technical Support Knowledge Base Article with general information about this change can be found here:
http://www.blackberry.com/knowledgec...66052&vernum=8

Before applying this Microsoft Software Update, RIM recommends that Administrators review these two Knowledge Base articles and take any necessary steps appropriate for their environment. Please contact [email address] if additional support is required for this as it applies to BlackBerry Enterprise Server.
Offline  
Old 05-09-2006, 04:06 AM   #2 (permalink)
BlackBerry Extraordinaire
 
BBAdmin's Avatar
 
Join Date: Feb 2005
Location: Port 3101.org
Model: .
Carrier: .
Posts: 2,491
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I've been looking at this today. It would seem when you send an email RIM take ownership of it and hense it doesn't originate where it appears to have (the users email address). This must make it look like SPAM. I can see why MS have implemented such a change, and it will certainly be beneficial in combatting unwated SPAM (which even a small company like ours spends thousands a year trying to cut unwanted mails out), but annoying it has a knock on effect on the BES.

As another thought I bet this has an effect on BlackBerry Internet Mail as well where users will have changed the 'Sent From' address on their BlackBerry webmail interface. I can see emails potentially getting bounced back in these instances to, although you would think RIM would have mentioned this. Perhaps I'm mistaken!
__________________

Offline  
Old 05-09-2006, 04:41 AM   #3 (permalink)
CrackBerry Addict
 
wibbly's Avatar
 
Join Date: Apr 2005
Location: UK
Model: 9700
Carrier: T-Mobile UK
Posts: 857
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by BBAdmin
I bet this has an effect on BlackBerry Internet Mail as well where users will have changed the 'Sent From' address
I would like to understand the implication of this too.

Does it affect

- Outlook users receiving mail from BB's on a BIS?
- Outlook users on Exchange receiving mail from BB's on a BIS?
Offline  
Old 05-09-2006, 08:04 AM   #4 (permalink)
Thumbs Must Hurt
 
Join Date: Dec 2005
Model: 8800c
Carrier: Cingular
Posts: 68
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

What if you aren't running AD? How do I get around this?
Offline  
Old 05-09-2006, 08:17 AM   #5 (permalink)
Thumbs Must Hurt
 
richardsbd's Avatar
 
Join Date: Apr 2006
Location: work in Washington, DC, USA
Model: 8700c
Carrier: The 'new' AT&T (formerly known as Cingular)
Posts: 123
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by MrFace
What if you aren't running AD? How do I get around this?
If you are not runnig AD, then what OS and version are your Domain Controllers and Exchange server(s)?

[edit]There is always the option to NOT install the patch...
__________________
Brian

user and maintainer of a bunch of BB8700s

current project - nordoxandsoaps.com | View my LinkedIn profile
Offline  
Old 05-09-2006, 08:25 AM   #6 (permalink)
New Member
 
Join Date: Jun 2005
Location: Guelph, Ontario, Canada
Model: 7100R
Carrier: Rogers
Posts: 5
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

If you're not running AD, then you aren't running Exchange 2000 or 2003 and the patch doesn't apply to you.
Offline  
Old 05-09-2006, 08:55 AM   #7 (permalink)
Thumbs Must Hurt
 
Khue's Avatar
 
Join Date: Sep 2005
Location: In a van down by the river.
Model: 8320
Carrier: T-Mobile
Posts: 101
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Good stuff, thank you for the post.
Offline  
Old 05-09-2006, 05:03 PM   #8 (permalink)
GT!
New Member
 
Join Date: May 2006
Model: 8700r
Posts: 1
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I don't think the instructions posted on blackberry.com will work unless all of your users are under the 'users' OU in AD. I think it would be better to apply the 'send as' permission at the root of the domain. Comments?
Offline  
Old 05-09-2006, 05:06 PM   #9 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by GT!
I don't think the instructions posted on blackberry.com will work unless all of your users are under the 'users' OU in AD. I think it would be better to apply the 'send as' permission at the root of the domain. Comments?
If you aren't constrained and don't mind every user being subject to that permission, then why not - it'd definitely be easier than running and maintaining a damn sorry script provided by Microsoft. The Users object refers to "(objectClass=Users)" which is any AD object marked as a user. It states to repeat the steps for all OUs that are applicable (not sure if this is necessarily a good idea, as it would give unnecessary access to non-applicable users unless you group BlackBerry users together in their own OU). I suppose if the service account has permissions to the CEO, President, every EVP and SVP, every Director, etc., then it likely won't mean all that much to allow it permissions on Joe Random, either...
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.

Last edited by jibi : 05-09-2006 at 05:16 PM.
Offline  
Old 05-09-2006, 05:11 PM   #10 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by BBAdmin
As another thought I bet this has an effect on BlackBerry Internet Mail as well where users will have changed the 'Sent From' address on their BlackBerry webmail interface. I can see emails potentially getting bounced back in these instances to, although you would think RIM would have mentioned this. Perhaps I'm mistaken!
It wouldn't. It only prevents users within an Exchange environment from sending as another user or service account or shared mailbox or whatever if that permission wasn't applied.

What doesn't make sense, in my opinion, is why we would set implicit 'Send As' permissions in Exchange at the Store level and it wouldn't be applicable to the individual accounts that reside within that Store. Leave it to Microsoft to put the same damn permissions in 10 different places.

I just wish that RIM would update their installation instructions at some point to make room for a different fix. This is a lot of work, in my opinion, for the casual administrator - especially on larger rollouts, this is HIGHLY unacceptable (no fault to RIM short of not relaying this to users MONTHS ago when they first wrote their KB article and coming up with an appropriate workaround/procedure change).
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Old 05-10-2006, 03:56 AM   #11 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2005
Location: Denmark
Model: 7230
Carrier: TDC
Posts: 102
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by richardsbd
If you are not runnig AD, then what OS and version are your Domain Controllers and Exchange server(s)?

[edit]There is always the option to NOT install the patch...
there are a few migrating factors but its not recomended not to install the patch
Offline  
Old 05-10-2006, 12:25 PM   #12 (permalink)
New Member
 
Join Date: Mar 2005
Model: 7130e
Carrier: Verizon
Posts: 7
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am following the instructions in KB-04707 on BB's site. After I set up the permissions on the OU, will any new account or any account moved into that OU have updated permissions too? Or Will I have to set the permissions on the OU after each new account is created.

thanks
Offline  
Old 05-10-2006, 12:50 PM   #13 (permalink)
Knows Where the Search Button Is
 
costonbw's Avatar
 
Join Date: Apr 2006
Location: Washington
Model: Storm
OS: v4.7.0.85
Carrier: Verizon
Posts: 23
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default I got Hosed...

Last night we accidentally deployed the evil patch. Now no one can send. All of our user are organized in OU's under a root OU named "User Roles". I granted the "Send As" permission at the "User Roles" level, but still no one can send. I just called Blackberry, and they say it may take 2 hours for the setting to take place, and if anyone tries to send a message the 2 hours resets. This doesnt sound right to me. The longest polling intervals I can think of are only about 15 minutes long. Any thoughts?

Also, I'm looking through AD, and I notice that the right does not appear to be applied to my user, but it is applied to the OU my user lives in. This seems odd. Thoughts?

I'm trying to avoid burning a incident with Microsoft on this...
Offline  
Old 05-10-2006, 01:28 PM   #14 (permalink)
Thumbs Must Hurt
 
Join Date: Oct 2005
Location: Sacramento
Model: 7250
Carrier: verizon
Posts: 54
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Inherit

Quote:
Originally Posted by willie44
I am following the instructions in KB-04707 on BB's site. After I set up the permissions on the OU, will any new account or any account moved into that OU have updated permissions too? Or Will I have to set the permissions on the OU after each new account is created.

thanks
Each object placed in the OU will inherit the permissions set on the OU unless inheritance is explicitly disabled on an object.
__________________
James
Offline  
Old 05-10-2006, 01:34 PM   #15 (permalink)
Thumbs Must Hurt
 
Join Date: Oct 2005
Location: Sacramento
Model: 7250
Carrier: verizon
Posts: 54
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by costonbw
Last night we accidentally deployed the evil patch. Now no one can send. All of our user are organized in OU's under a root OU named "User Roles". I granted the "Send As" permission at the "User Roles" level, but still no one can send. I just called Blackberry, and they say it may take 2 hours for the setting to take place, and if anyone tries to send a message the 2 hours resets. This doesnt sound right to me. The longest polling intervals I can think of are only about 15 minutes long. Any thoughts?

Also, I'm looking through AD, and I notice that the right does not appear to be applied to my user, but it is applied to the OU my user lives in. This seems odd. Thoughts?

I'm trying to avoid burning a incident with Microsoft on this...
Check the permission settings and make sure it is applied to "User Objects". I applied it to my domain and checked a few random user objects in various OUs and the permission has been inherited on down the line. It's not likely that installing the update is effecting the inheritance.
__________________
James
Offline  
Old 05-10-2006, 01:44 PM   #16 (permalink)
New Member
 
Join Date: May 2006
Model: 8800
Carrier: T-Mobile
Posts: 5
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

You should have a DomainUsers group in your Users container, which has everyuser in your org as members, then add the BESAdmin account or a BESAdmins Group account if you have multiples, then assign the permissions as given in the RIM kb. Then in additions you may need to add the permission directly to the Users container and each OU/Users container.

This is what works my testing.
Offline  
Old 05-10-2006, 01:46 PM   #17 (permalink)
New Member
 
Join Date: May 2006
Model: 8800
Carrier: T-Mobile
Posts: 5
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

RIM is correct about waiting up to 2 hours .... it depends on your environment.
Offline  
Old 05-10-2006, 02:32 PM   #18 (permalink)
New Member
 
Join Date: Jun 2005
Location: Guelph, Ontario, Canada
Model: 7100R
Carrier: Rogers
Posts: 5
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jibi
What doesn't make sense, in my opinion, is why we would set implicit 'Send As' permissions in Exchange at the Store level and it wouldn't be applicable to the individual accounts that reside within that Store. Leave it to Microsoft to put the same damn permissions in 10 different places.
Granting "Send As" at the store level grants permission to send as the database itself. Not sure why anyone would want to do that, but that's what that permission is for.
Offline  
Old 05-10-2006, 02:42 PM   #19 (permalink)
New Member
 
Join Date: Apr 2006
Location: Rochester, NY
Model: 8100
Carrier: AT&T
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Also, Microsoft has changed the KB article that references this patch about 8 times. Back on rev 5.1 it was only 3 pages and now it's up to version 8 and 16+ pages. Two revisions today alone. Search the MS Knowledgebase for KB912918.

Back on version 5.1 of the doc, it lists the DSACLS command which can be used at the OU level to set the Send As permission. This was taken out of future revs but according to our MS rep is still a viable fix so you don't have to specifically set permissions on a per mailbox level.
Offline  
Old 05-10-2006, 03:41 PM   #20 (permalink)
Knows Where the Search Button Is
 
costonbw's Avatar
 
Join Date: Apr 2006
Location: Washington
Model: Storm
OS: v4.7.0.85
Carrier: Verizon
Posts: 23
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by costonbw
Last night we accidentally deployed the evil patch. Now no one can send. All of our user are organized in OU's under a root OU named "User Roles". I granted the "Send As" permission at the "User Roles" level, but still no one can send. I just called Blackberry, and they say it may take 2 hours for the setting to take place, and if anyone tries to send a message the 2 hours resets. This doesnt sound right to me. The longest polling intervals I can think of are only about 15 minutes long. Any thoughts?

Also, I'm looking through AD, and I notice that the right does not appear to be applied to my user, but it is applied to the OU my user lives in. This seems odd. Thoughts?

I'm trying to avoid burning a incident with Microsoft on this...

I've done some more testing and discovered that what I did with the Send As permission DID fix the problem for normal users. But there are four of us in IT who's mailboxes are on accounts that also have Domain Administrator rights, and the permission was blocked from our accounts. We've made some changes, and removed domain admin from all those accounts, but the Send As right is still not being inherited. I even tried granting it explicitly on one account and mails are still bouncing.

Anyone have any ideas?
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.