The "Send As" Issue with Active Directory
1. Open AD Users and Computers
2. Select View and Advanced Settings
3. Create a Domain Local Security group at the highest OU level that contains the users accounts that have Blackberrys.
4. Add these users as members of the group.
5. Go to the Security Tab for the group.
6. Click Advanced Permissions button.
7. Click Add and select the account that you use as your BES service account.
8. On the Permissions page change the drop down for Apply Onto to read User Objects
9. Then set Send As and Read permissions
10. Make sure the Apply These Permissions to Objects Within This Container box is unchecked.
11. Click Ok out of all the permissions pages.
12. Then restart exchange system attendant to refresh the permissions cache.
13. You'll now find that the permission is inherited by all your BB users and it will now stick.
To add... I believe this is also required:
dsacls "cn=AdminSDHolder,cn=System,dc=domain,dc=com" /G "domain.com\BlackBerrySA:CA;Send As"
I don't believe the Domain Local group step is necessary to resolve the Domain Admins issue you're having, that should be taken care of by dsacls on the AdminSDHolder. But, having that group is still a very good idea which will save you from having to set the Send As permission manually on users.