06-24-2006, 09:34 AM
Thumbs Must Hurt
Join Date: Oct 2005
Post Thanks: 0
Thanked 0 Times in 0 Posts
| | For all those haivng "send as" problems
Please Login to Remove!
I came here looking for advice, and had to search a dozen posts to find the specific details. I hope this short post helps. There are all sorts of crazy ways to handle this, but this is the easiet way to do it, once and for all.
First, I am assuming this is an EXISTING 4.x install with everything work just fine, only an Exchange hotfix (which updates store.exe) caused this. To solve the problem is two fold 1) first for regular users, 2) for elevated access users
Prereq: Your BESAdmin account should NOT have elevated access. If it does, you need to remove it. There is absolutely no reason the BESAdmin account needs this access. It should be a regular Domain User. This also assumes you've granted the BESAdmin the appropriate "view only" rights in your Exchange organization as described by the install notes for BES. If you're sharing your BESAdmin user with some other account that needs elevated domain access, I highly suggest you stop doing this and change to a dedicated BESAdmin user.
1) Regular Users
-Go into AD Users and Computer, enabled the advanced view (VIew/Advanced Features)
-Right-click on the DOMAIN root and go to Properties, then Security tab
-Click advanced and add the BESAdmin user.
-Change the "Apply onto" pull-down to USER OBJECTS ONLY
-Check SEND AS is the allow column (that's it!!)
-OK back out to AD Users and Computers
Notes: Instead of applying this security to the DOMAIN root, you can apply it to different OU's. Just make sure you apply it to ALL OU's where you have blackberry users under or else they won't be able to send from their handheld
2) Elevated Access Users (blackberry users with domain admin/enterprise admin access)
The AdminSDHolders is a property that prevents you from giving users with elevated access certain permissions, as an internal design by Microsoft. This is generally good for security reasons. One of the big things it does is remove Send As permission inheritance on users with elevated access. Why? Because it's generally a bad idea to give a user access to Send As everyone else in the domain.
The quickest way to deal with this is to user DSACLS to grant your BESAdmin user Send As access to AdminSDHolders property. DSACLS can make full overrides on the internal security MS has built in. The command to run is as follows:
dsacls "cn=AdminSDHolder,cn=system,dc=domain,dc=com" /G "netbiosdomain\besadminuser:CA;Send As"
These fixes can take up to 2 hours apply out to Exchange's cached security information. After they apply, Blackberry Router must be restarted. The fix for regular users only took 20 minutes to update, but the fix for Elevated Users took the FULL 2 hours to update for me.
I hope this helps. Please feel free to note corrections and I'll revise the post. I really feel this is the easiest way to handle this issue.