BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 07-16-2006, 09:38 PM   #1 (permalink)
New Member
 
Join Date: Jul 2006
Model: 8800
Carrier: ATT/Cingular
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Will BESAdmin = Administrator be a problem?

Please Login to Remove!

Hello - first post, so try to be kind....

Running SBS2003 SP1 Premium (Exchange 2003 SP2, SQL Server 2000 SP4, ISA Server 2004).

Is it technically feasable to use the Administator account as the BES service account? Or is it just not advisable for security reasons?

Anyone have it working using the Administrator account without creating a BESAdmin account? I have it "working", but there are a few outstanding issues that need fixing.

So, just thought I would ask if what I am trying to do is even possible before I roll up my sleeves on the issues.

Thanks in advance.
Keith
Offline  
Old 07-16-2006, 10:51 PM   #2 (permalink)
Knows Where the Search Button Is
 
Join Date: Jun 2006
Model: 7290
Posts: 39
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Can you tell us what is the issue? Hopefully we can provide you with the right solution...
Offline  
Old 07-16-2006, 11:35 PM   #3 (permalink)
Retired BlackBerryForums.com Moderator
 
d_fisher's Avatar
 
Join Date: Oct 2005
Location: Columbus, OH
Model: 9700
OS: SID 6.7
Carrier: AT&T
Posts: 4,455
Post Thanks: 0
Thanked 2 Times in 1 Post
Default

Why would you want to use the Administrator account. Best practice is to use the account with the least required rights to do the job, ie. BESAdmin.
__________________
Doug

Remember, please try searching first!

Need a screenshot? ... Like JavaLoader?
Try using BBscreen .....Use JL_Cmder!
or BBScreenShooter!

[SIGPIC][/SIGPIC]
Offline  
Old 07-17-2006, 03:01 AM   #4 (permalink)
Talking BlackBerry Encyclopedia
 
Dirky's Avatar
 
Join Date: Jul 2006
Location: Up North - UK
Model: 8320
Carrier: T-Mobile UK
Posts: 265
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by d_fisher
Why would you want to use the Administrator account. Best practice is to use the account with the least required rights to do the job, ie. BESAdmin.
I could not get things working properly when I used a BESAadmin account for the MAPI connection. There was some permission problems. I did some reading and adjusted permissions as suggested but could not get it working.
I tried with the Administrator account and it seems to work ok.

However I realise this may not be the best way to leave it running?

Mike
__________________
http://www.ubertechs.co.uk
Personal Blog - http://www.g6phf.co.uk
Offline  
Old 07-17-2006, 02:03 PM   #5 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Feb 2005
Model: 7280
Carrier: cingular, no wait, AT&T
Posts: 300
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I reccomend creating the user accounts like the manuals say (or used to say, at least... 3.6 specified a few user accounts to create and use)
Offline  
Old 07-17-2006, 10:18 PM   #6 (permalink)
New Member
 
Join Date: Jul 2006
Model: 8800
Carrier: ATT/Cingular
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by andidarmali
Can you tell us what is the issue? Hopefully we can provide you with the right solution...
The only thing that doesn't work is Calendar sync, but only in one direction. The calendar syncs from Outlook to Handheld, but NOT from Handheld to Outlook.

The BES error log entries, associated with the MS event 20216 "Sync Failed" entries, clearly state "You do not have permission to log on", but I am at a loss as to where to look to resolve this permissions issue.

The BES is performing all the other syncs (contacts, tasks, notes) in both directions and sending and receiving mail on the handheld is flawless.

Given the MS critical updates of May 9 and how that impacted BES permissions, it seems that creating the separate BESAdmin account will end up being the best path to take.

So, even though I would love to resolve this one (so close, yet so far away), I think I will create the BESAdmin account and reinstall, while I still have the chance to do it before this Small Business Server goes into production.

Thanks,
Keith
Offline  
Old 07-18-2006, 07:04 AM   #7 (permalink)
Talking BlackBerry Encyclopedia
 
ld-runner's Avatar
 
Join Date: Apr 2006
Location: Canton, Mi
Model: 9000
Carrier: AT&T
Posts: 218
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

i run BES under the domain admin account. no issues with me. my BES is running on a member server not hosting AD. I have zero issues. RIM told me I should change it, but did not tell me why. Only that it is prefered to do it that way. Supposedly, using the admin account could cause issues if you go over 100 users on BES. Since i have less than 15, i never made the change.
Offline  
Old 07-18-2006, 08:11 AM   #8 (permalink)
Talking BlackBerry Encyclopedia
 
Dirky's Avatar
 
Join Date: Jul 2006
Location: Up North - UK
Model: 8320
Carrier: T-Mobile UK
Posts: 265
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by KeithWeldon
The only thing that doesn't work is Calendar sync, but only in one direction. The calendar syncs from Outlook to Handheld, but NOT from Handheld to Outlook.

The BES error log entries, associated with the MS event 20216 "Sync Failed" entries, clearly state "You do not have permission to log on", but I am at a loss as to where to look to resolve this permissions issue.

The BES is performing all the other syncs (contacts, tasks, notes) in both directions and sending and receiving mail on the handheld is flawless.

Given the MS critical updates of May 9 and how that impacted BES permissions, it seems that creating the separate BESAdmin account will end up being the best path to take.

So, even though I would love to resolve this one (so close, yet so far away), I think I will create the BESAdmin account and reinstall, while I still have the chance to do it before this Small Business Server goes into production.

Thanks,
Keith
Hi Keith,
I had this error at first, I found some info which helped me fix it, I have the document at home (I printed it out!).
It was something to do with adjusting the permissions for the Administrator I seem to recall.

Mike
__________________
http://www.ubertechs.co.uk
Personal Blog - http://www.g6phf.co.uk
Offline  
Old 07-18-2006, 09:17 AM   #9 (permalink)
Knows Where the Search Button Is
 
Join Date: May 2006
Location: Miami, FL
Model: 8700
Posts: 23
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ld-runner
i run BES under the domain admin account. no issues with me. my BES is running on a member server not hosting AD. I have zero issues. RIM told me I should change it, but did not tell me why. Only that it is prefered to do it that way. Supposedly, using the admin account could cause issues if you go over 100 users on BES. Since i have less than 15, i never made the change.
I speak from experience. This is a BAD idea. If you get any corruption in your AD database you are screwed! I recently, last week, had this issue. ALL of my admin accounts were locked out due to security corruption. The besadmin account was the only account I could log in with. It was because it was not a member of the Domain Admins group. I was able to reset my security using a KB article from Microsoft (KB313222) Having the besadmin account at a lower security level kept me from having to restore from backup.

-James

P.S. I am running BES 4.0 SP4 on Windows Server 2003 SP2.
Offline  
Old 07-18-2006, 09:23 AM   #10 (permalink)
Talking BlackBerry Encyclopedia
 
ld-runner's Avatar
 
Join Date: Apr 2006
Location: Canton, Mi
Model: 9000
Carrier: AT&T
Posts: 218
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

if my AD ever took a dump, I'd have bigger things to worry about than BES. lol. The issue with RIM is probably more about security than having a user account that you can log in with in the event of AD corruption.
Offline  
Old 07-18-2006, 09:50 AM   #11 (permalink)
Knows Where the Search Button Is
 
Join Date: May 2006
Location: Miami, FL
Model: 8700
Posts: 23
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ld-runner
if my AD ever took a dump, I'd have bigger things to worry about than BES. lol. The issue with RIM is probably more about security than having a user account that you can log in with in the event of AD corruption.
LOL, I agree, I did not mean to imply that that was their (RIM's) reasoning. It just was a good thing I did it "by the book." It saved my a** because it was the one account I could use. I am sure you are correct. You do not want the besadmin account or any account for that matter to have higher security than necessary as a best practice anyway.

-James
Offline  
Old 07-19-2006, 05:44 PM   #12 (permalink)
New Member
 
Join Date: Jul 2006
Model: 8800
Carrier: ATT/Cingular
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default BES Express on SBS2003 SP1 Premium - Piece of Cake!!

Everyone has been so helpful, I can't begin to thank you all enough.

I thought I would report back on my sucess at installing BES 4.1 Express on a Microsoft Small Business Server 2003 Premium Edition with SP1.

First, I restored the pre-production SBS to just before my ill fated attempt to use the Administrator's account as the BES service account.

Then, as outlined in Section 3 of the BES for MS Exchange Version 4.1 Installation Guide, I created a BESAdmin account with appropriate rights.

The install went as smooth as silk.

Then after adding BESAdmin to my handheld user's security settings to deal with Microsoft's sabotage, I deployed the handheld and voila! A typically wonderful BlackBerry experience.

Gotta just LOVE that BlackBerry Enterprise Server!!

Again, THANKS TO EVEYONE!!

Keith

P.S. anyone interested in a write up of the installation, which includes screen shots, just give me a holler and I would be happy to share.
Offline  
Old 07-25-2006, 05:08 AM   #13 (permalink)
Knows Where the Search Button Is
 
paul_griffiths's Avatar
 
Join Date: Jul 2006
Location: Bristol - UK
Model: 8800
Carrier: Orange
Posts: 45
Post Thanks: 0
Thanked 0 Times in 0 Posts
Smile Keith - IM Sent....

Have IMed you Keith re: your guide
Offline  
Old 07-25-2006, 08:26 AM   #14 (permalink)
New Member
 
Join Date: May 2006
Model: 8700g
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi,

I'd love to see a copy of your guide KEith - in particular the permission requirements for the Besadmin account pre BES install.
Offline  
Old 07-25-2006, 12:00 PM   #15 (permalink)
Zro
CrackBerry Addict
 
Zro's Avatar
 
Join Date: Mar 2005
Model: 8800
Carrier: Rogers
Posts: 597
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Just so you know, the reason you were getting permissions failures with the Administrator account is because Exchange denies send as/receive as to domain admins.

This is a very common issue. People put BESAdmin in the Domain Admins group and BES no workey. Take them out of Domain Admin and put in local Admin and Domain Users, works fine for setting send as/receive as permissions.

Zro
Offline  
Old 07-26-2006, 12:46 AM   #16 (permalink)
New Member
 
Join Date: May 2006
Model: 8700g
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi,

Thanks for that - still having a problem with the installation.

All is ok untill i get to the [Database Setting] step, when it gets to create the db BESMgmt i get an error

"DB upgrade failed. Error executing an SQL statment"

And it lets me get no further - any ideas?

Quote:
Originally Posted by Zro
Just so you know, the reason you were getting permissions failures with the Administrator account is because Exchange denies send as/receive as to domain admins.

This is a very common issue. People put BESAdmin in the Domain Admins group and BES no workey. Take them out of Domain Admin and put in local Admin and Domain Users, works fine for setting send as/receive as permissions.

Zro
Offline  
Old 07-26-2006, 09:06 AM   #17 (permalink)
CrackBerry Addict
 
|||||||'s Avatar
 
Join Date: Jun 2006
Model: 7100
Carrier: Rogers
Posts: 615
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

You don't have system admin permissions over SQL most likely. What type of authentications are you using? Windows or SQL?

Quote:
Originally Posted by fushwabo
Hi,

Thanks for that - still having a problem with the installation.

All is ok untill i get to the [Database Setting] step, when it gets to create the db BESMgmt i get an error

"DB upgrade failed. Error executing an SQL statment"

And it lets me get no further - any ideas?
Offline  
Old 07-26-2006, 02:56 PM   #18 (permalink)
New Member
 
Join Date: May 2006
Model: 8700g
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi,

Excuse me for being thick - how would i know that? I've just done a stanard install of BES with the new besadmin account as specified in the manual - unlike my preious install as admin this one stops with the error - how would i find out what kind of authentication i'm using?

regards



Quote:
Originally Posted by |||||||
You don't have system admin permissions over SQL most likely. What type of authentications are you using? Windows or SQL?
Offline  
Old 07-26-2006, 05:53 PM   #19 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2006
Model: 7290
Carrier: Rogers In Canada - Cingular in US
Posts: 127
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

"DB upgrade failed. Error executing an SQL statment"

That error typically is displayed if the if the SQL data directory already has besmgmt.mdf and besmgmtlog.ldf created.Delete those files and try again
(Common when using MSDE)

If you are using SQL 2000/2005- Best way to go about giving permissions is to create a security login for the domain/besadmin account

Assign System and Server Admin
After the install is complete only dbowner is required
Offline  
Old 07-27-2006, 12:51 AM   #20 (permalink)
New Member
 
Join Date: May 2006
Model: 8700g
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks chap - that got it - was deleting the mdf file but not the ldf file - seems to be working now!

Many thanks again


Quote:
Originally Posted by blackberry1
"DB upgrade failed. Error executing an SQL statment"

That error typically is displayed if the if the SQL data directory already has besmgmt.mdf and besmgmtlog.ldf created.Delete those files and try again
(Common when using MSDE)

If you are using SQL 2000/2005- Best way to go about giving permissions is to create a security login for the domain/besadmin account

Assign System and Server Admin
After the install is complete only dbowner is required
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.