Did anyone else have problems after applying MS06-29?

Last month, I didn't have any problems with MS06-19, the Exchange patch that required a workaround to get BES to work. I implemented the workaround and all was well

MS06-29 comes around, and yesterday my *most* users were not able to send (they could receive).

I did what RIM advises in its KB and followed the directions in MS KB912918. No love. Had my boss call my reseller so they could call RIM and see what the deal is. They said to follow KB912918. When I told my boss that we did that and it didn't work, I told him to call them back. They said the same thing, follow KB912918. Great support RIM!!! Fix your product!! You have had over a month to do so!

So I called MS Support.

MS support advised that I had to *MANUALLY* add my BES service account with SEND AS perms to all my BES users.

Anyone else have a similar experience?

This is the one that was release like yesterday or two days ago, right? In the advisor, it said it might break BB or GoodLink products. Right now, my IT guy isn't planning on rolling that update out, but always good to know there is a workaround if absolutely necessary.

Ditto

Did the workaround work for you? I just uninstalled MS06-29 to get everything working again.

Cheers

Help... setting up new mail org that will be 2k3 and new BES to go with it...

Is there info on this patch someplace? (I searched MS but couldn't find and even searched google)...

Am I reading this right that after the patch I'll have to add these permissions to exchange on a PER USER basis?

EDIT: Found info... reading now...

We're planning on testing MS06-029 this afternoon or in the morning on a test Exchange2003 SP2 server, and a test BES, running 4.0.4.5. Our thinking if the BES account already has Send As permissions at the Server and Information store level, we'll be fine.

This is slightly different from MS Support told you. If this works, it will sure be easier than adding that permission on each user object!

I've added the permissions as per MS KB912918. Problem is that Domain Admins automatically get this permission stripped off by the AdminSDHolder function within an hour. Microsoft's answer to this is to not use domain admin accounts for email. Anyone have a way to get around this ?

easy-v,
"Great support RIM!!! Fix your product!! You have had over a month to do so!"

I think you didn't read the PDF provided by RIM properly. It states that this is caused by a Microsoft security update for Exchange not an update released by RIM for BES.

Its advisable to read the "Whole 6 page article" before claiming that you have done everything.
Theres a vbscript in there and you dont have to manually add it to every users if you know a bit of vb, since your an admin i presume you would know a bit of scripting correct?

Also the permissions can be applied at the domain level, OU level or the user level. If the users are not properly inheriting permissions then the problem arises as exactly what chrisberry mentioned "AdminSDholder"

Read Microsoft KB912918 carefully its mentioned there. Microsoft tech support guy didn't do anything special just walked you through the same article....

You have to change the permissions on the AdminSDHolder object itself (found in the System container). There's no other way around this, short of creating a second, standard account for the admin user.

Did you read my entire post? MS PS explicitly stated that the script in their KB article will not propagate the settings, that they [b]must[b] be applied manually. RIM gave me that crap line that MS needs to fix their product. Can someone explain to me if Microsoft's products are a pre-req for BES, and Microsoft patches/changes the way their product works, which they often do, why is Microsoft on the hook to make sure that BES works?

It appears to me that if RIM sells a product, they should ensure that it works with the stated pre-reqs.

Again, MSPS said that the permissions would have to be applied individually. I applied the perms at the domain level back in May, to get around the first update and it worked. It didn't work on MS06-29

I still have not found a way around the ADMINSDHOLDER problem, despite the KB article. It's not a problem for me, as their is only 1 user impacted, but having to go thorugh this everytime an Exchange patch is released is not something I want to have to deal with.

yep, we rollout the patch out on the weekend and BES showed these symptoms. I know we didnt installed the earlier patch as it was well adviced of its effects.

anyway, I took a guess and looked at the perms and manually added the send As to get it to work.

Crap support though !! They still havent come back to me after I have already fixed it

I'm still having issues with the AdminSD object.

Here's what I did, perhaps this isn't the proper way.

I went into the security for AdminSDHolder and added the BB service account to it and gave it "Send As", just as I would for a user.

Now, the admin accounts retain the BlackBerry service account in their security list, however "Send As" is removed.

When I go back to look at the AdminSD object after the top of the hour, it still has the permissions I want, but not the user accounts.

GRRRR.

Anyone still having issues with this?

Similar experience. KB912918 doesn't work. Blackberry's solution to switch off the router for 20 mins is ridiculous.

Adding the Send As permission to the service account for each user is the way to go but the only snag as you may have found out is that the permission is deleted after an hour. It's also inconvenient especially if you have many Blackberry users.

This is how it should be fixed:

1. Open AD Users and Computers

2. Select View and Advanced Settings

3. Create a Domain Local Security group at the highest OU level that contains the users accounts that have Blackberrys.

4. Add these users as members of the group.

5. Go to the Security Tab for the group.

6. Click Advanced Permissions button.

7. Click Add and select the account that you use as your BES service account.

8. On the Permissions page change the drop down for Apply Onto to read User Objects

9. Then set Send As and Read permissions

10. Make sure the Apply These Permissions to Objects Within This Container box is unchecked.

11. Click Ok out of all the permissions pages.

12. Then restart exchange system attendant to refresh the permissions cache.

13. You'll now find that the permission is inherited by all your BB users and it will now stick.

14. Throw darts at your convenient picture of Bill Gates.

Ho folks,

KB912918 worked for me but please note the following:

HOTFIX 895949 doesn't fix the problem, it ensures you have it! (Store.exe ver x.x.x.23 or later as per MS KBs) - don't bother trying this as a fix. I misread the KB and did some work for nothing. Have a freebie on me

You must run the dsacls command on EACH DOMAIN to stop the AdminSDHolder permissions removing anything you've applied manually. (You can redirect the output from this to a text file - check towards the bottom and you should see your BES account with Send As to the right of it).

I then went into our Exchange structure with the BES service permissions info from the BES manual and reset the entire lot from top to bottom - a drag but it makes sure that everything is correctly in place for the future.

It now works (for us anyway).

This will not go away and you need to apply proper permissions to keep things working in the future ie take the hit and fix it now.

Good luck and keep with it

NigeHarvey

w2k3/e2k3/bes3.6

I am so confused about this...

We are building a NEW BES (v4.0) in a NEW Exchange Org on NEW Exchange 2003 servers with 029 patch...

The users will later be migrated to the new org/servers/bes...

What is the best way to proceed short term (while I migrate existing users), as well as long term (as I add new users)?

The company I am working at is multi-national.. the UK team is driving things, but getting info from Vodaphone which is turning out to be proven WRONG every time. And I have to pickup the mess in the US side of things...

Unfortunately, I do NOT have access to "administer" the Exchange servers, that is another team... I only can touch the BES...

Do we have to do this on a Per Mailbox/Per User basis?