BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 06-24-2006, 09:34 AM   #1 (permalink)
Thumbs Must Hurt
 
Join Date: Oct 2005
Model: 8300
Carrier: AT&T
Posts: 82
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default For all those haivng "send as" problems

Please Login to Remove!

I came here looking for advice, and had to search a dozen posts to find the specific details. I hope this short post helps. There are all sorts of crazy ways to handle this, but this is the easiet way to do it, once and for all.

First, I am assuming this is an EXISTING 4.x install with everything work just fine, only an Exchange hotfix (which updates store.exe) caused this. To solve the problem is two fold 1) first for regular users, 2) for elevated access users

Prereq: Your BESAdmin account should NOT have elevated access. If it does, you need to remove it. There is absolutely no reason the BESAdmin account needs this access. It should be a regular Domain User. This also assumes you've granted the BESAdmin the appropriate "view only" rights in your Exchange organization as described by the install notes for BES. If you're sharing your BESAdmin user with some other account that needs elevated domain access, I highly suggest you stop doing this and change to a dedicated BESAdmin user.

1) Regular Users
-Go into AD Users and Computer, enabled the advanced view (VIew/Advanced Features)
-Right-click on the DOMAIN root and go to Properties, then Security tab
-Click advanced and add the BESAdmin user.
-Change the "Apply onto" pull-down to USER OBJECTS ONLY
-Check SEND AS is the allow column (that's it!!)
-OK back out to AD Users and Computers

Notes: Instead of applying this security to the DOMAIN root, you can apply it to different OU's. Just make sure you apply it to ALL OU's where you have blackberry users under or else they won't be able to send from their handheld

2) Elevated Access Users (blackberry users with domain admin/enterprise admin access)

The AdminSDHolders is a property that prevents you from giving users with elevated access certain permissions, as an internal design by Microsoft. This is generally good for security reasons. One of the big things it does is remove Send As permission inheritance on users with elevated access. Why? Because it's generally a bad idea to give a user access to Send As everyone else in the domain.

The quickest way to deal with this is to user DSACLS to grant your BESAdmin user Send As access to AdminSDHolders property. DSACLS can make full overrides on the internal security MS has built in. The command to run is as follows:

dsacls "cn=AdminSDHolder,cn=system,dc=domain,dc=com" /G "netbiosdomain\besadminuser:CA;Send As"

----
These fixes can take up to 2 hours apply out to Exchange's cached security information. After they apply, Blackberry Router must be restarted. The fix for regular users only took 20 minutes to update, but the fix for Elevated Users took the FULL 2 hours to update for me.

I hope this helps. Please feel free to note corrections and I'll revise the post. I really feel this is the easiest way to handle this issue.
Offline  
Old 06-24-2006, 11:34 AM   #2 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

Thanks HDClown. Very nice post.
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.