Just had the (dis) pleasure of the infamous 'Send As' issue that many others have encountered (as indicated by the 'unlisted message error' when trying to send emails from the devices). Thanks to all the stuff I've read on this site, I didn't totally freak out, but still called RIM (we have T-Support anyway) and were able to resolve it quite easily.

Just another testament to this great site!!

You where able to keep your users in the domain admins group and still keep the abiltiy to send from the device?

This is what RIM had us check:

"Exchange View Only Administrator" Permission:

1. Go to Start > Programs > Microsoft Exchange > System Manager.
2. Expand Administrative Groups, right-click First Administrative Group and click Delegate Control.
3. Click Next and find the BlackBerry Enterprise Server service account.
4. Confirm the role assigned is "Exchange View Only Administrator"
5. If the BlackBerry Enterprise Server service account is not listed, click Add.
6. Click Browse and click BlackBerry Enterprise Server service account.
7. Click Add.
8. Assign the Exchange View Only Administrator role to the service account and click OK.
9. Click Next and click Finish.

Exchange Server Level Permissions:

1. Go to Start > Programs > Microsoft Exchange > System Manager.
2. Select Administrative Groups > First Administrative Group > Servers.
3. Right-click the Exchange server name and click Properties.
4. Click the Security tab.
5. Select the BlackBerry Enterprise Server service account.
6. Under Permissions, confirm that Administrator Information Store, Send As, and Receive As are selected.
7. If these permissions are not selected, set them to Allow.
8. Verify that Allow inheritable permissions from parent to propagate to this object is selected.
9. Click OK.

Active Directory "Send As" Permission:

1. Open Microsoft Active Directory Users and Computers.
2. From the View menu, select the Advanced Features option. If this option is not selected, the Security page will not be visible for domain and container objects.
3. Right-click the appropriate domain or container, then click Properties.
4. On the Security tab, click the Advanced button.
5. Find the BlackBerry Enterprise Server service account in the list of users and ensure it has the Send As permission
6. If the BlackBerry Enterprise Server service account is not listed, click Add, then select the account. Click OK.
7. Double-click the service account.
8. In the Applies Onto list, select User Objects.
9. Select the Send As check box.
10. Click Apply, then click OK.
11. Close the Properties window, then close Active Directory Users and Computers.

There was issues with at least 1 of the above, but since I'm not the Directory Services admin, I don't remember which one it was. I just know after he fixed it, I stopped the BB Router service for 20+ minutes, started it back up, and everything was working again as it should.

I was able to get this to work for our regular users, but haven't found a way to get it to work for the people part of protected groups. i've looked at multiple threads on the board, but obviously haven't typed in the right search query yet.

anyone shed a little light out there??

thanks!

Yes, the above steps do work for resolving the "send as" problem for domain users, after the changes to the AdminsdHolder have been made by the MS patch.

I too have done the above steps for the unprotected users and it solved my issues. However if your user is in a protected groups such as Domain Admins, it doesn't work. I haven't figured a way around it yet.

For protected groups just browse to the AdminSDHolder object in ADUC. It is in the system folder. Right click AdminSDHolder and grant the send as permission to your bes service account.

Can anyone confirm this? I don't see anywhere to allow send as.. My AdminSDholder security tab does not has "send as" listed..

You have to click on the advanced button to get to the send as permission.

Did you test this? I just tried that and my permissions where revoked after an hour. I Still can't "send as" a protected user.

Below is the resolution I had to walk through with Microsoft to correct the 1 hour permission revocation...
-------------------------------------------------------------

Issue:
======

Protected members are unable to send mail through Blackberry on the Exchange 2003 server xxx8220;#MailServerName#"


Resolution:
===========

Granted the Blackberry or other application service account the Send As permission on every user in a container or domain.

To grant Send As for a single account on all user accounts in an Active Directory domain or container followed these steps:

xxx183; Start the Active Directory Users and Computers management console.

xxx183; On the View menu, make sure that the Advanced Features option is selected. If this option is not selected, the Security page will not be visible for domain and container objects.

xxx183; Open the properties of the domain or container, and then click the Security page.

xxx183; Click the Advanced button.

xxx183; If the account that needs permission is not already listed, click Add, and then select the account. Otherwise double-click the account for editing.

xxx183; In the Applies Onto list, click User Objects.

xxx183; Grant the account Send As permission.

xxx183; Click OK until you have exited and saved all changes.

From the command prompt ran:
==========================

xxx183; Dsacls "cn=administrator,cn=users,dc=domain,dc=com" /G "Domain\BlackBerry:CA;Send As"

xxx183; Dsacls "cn=adminsdholder,cn=system,dc=domain,dc=com" /G "Domain\BlackBerry:CA;Send As"

xxx183; This will add Black Berry Service Account to Mailbox user which are part of protected Group and also grant "Send As" of Black Berry Account on AdminSDHolder Object.

xxx183; Therefore, "Send As" permission of users which are member of protected group will not be removed after Hour.

xxx183; Restarted the exchange information store.

xxx183; Restarted the blackberry services.

---------------------------------------------------------------
remember, that for "cn=administrator,cn=users,dc=domain,dc=com" /G "Domain\BlackBerry:CA;Send As"

you need to replace dc=domain with your AD domain (IE:dc=microsoft)
you need to replace dc=com with your AD extension (IE:dc=net)
you need to replace Domain\Blackberry with your BES admin account

I had exactly the same problem.
I'm in every Admin group and the BES Admin account was desappearing from my userxxx180;s Security tab about one hour after being added.
I added the permissions to the AdminSDHolder and had no troubles for about 5 hours. After that time, i noticed i wasnxxx180;t able to send mails from my Blackberry anymore so y went straight to my user account. For my surprise, the BES Admin account was still listed in the Security tab but the "Send As" permission was gone !!!!
Any ideas ?!?

EDIT:
Even though "Send As" permission is not being shown for the BES Admin in the Security tab, it is shown in "Advance > BES Admin > User Objects > Send As"....

Was a resolution ever found for this issue?

you dug up a seriously old thread. there are some in the last month that talk about a way to grant the proper permissions to the adminSDholder. I don't know it off the top of my head, because we don't use protected groups for regular user accounts.

The proper resolution is for members of protected groups to NOT be mail enabled. Those users should have two accounts on the system. One account is non-protected group member and has a mailbox, the second account can be in protected groups and has no mailbox. The user only uses their 2nd account when they have to do administrative type functions. Nearly every single one of these can be done using Run-As any never having to log out of the first account.


I hate to say it, but this is simple IT best practices.


There is a very easy way to remove the inherited DENY on send as/receive as in Exchange 2003, but then you are opening a big security and accountability loophole.

"resolution" -

Read this if you want to know about AdminSDHolder - The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server

Thanks hdawg, i've the fixes in this KB article and i'm awaiting a time that I can restart the stores.

IAgree 100%

regular users shouldn't ever be members of the protected groups anyways. You should always be logged on as a user with least privelage and then elevate privelages when duties arise that require it. This is a standard security practice.

Thanks fopr th input guys. I've added our bes user to the adminshholder account/objuect and restarted our store and Bes servers but I still can't send emails from my own elevated account.

I agree that it is bad security practice to let bes account have send as to the admin account "but" when you work in a big an organisation as I do this is going to cause a big problem as we have long established methods and it will take time to modify behaviours. I'm still developing the new blackberry system so its not hit the fan yet but it won't be long.

I've inherited the old system and at present the bes user is a full exchange admin and so works but I wan't to do it by the books, apart from the admin accounts, and I only want the account to have the rights it should.

So, security concerns and practises aside, how can I get the send as right to stick to the admin accounts?

The procedure is to after you modify the AdminSDHolder object you need to reapply the send as permission on your ad object. You then need to wait up to 2 hours for Exchange to flush its permissions cache (or restart the IS Service) and you should be good.