BlackBerry Forums Support Community

BlackBerry Forums Support Community (http://www.blackberryforums.com/index.php)
-   BES Admin Corner (http://www.blackberryforums.com/forumdisplay.php?f=21)
-   -   Setting up the BESAdmin Account for a fresh 5.0.2 install (http://www.blackberryforums.com/showthread.php?t=238323)

rpfeffer 10-19-2010 02:09 PM

Setting up the BESAdmin Account for a fresh 5.0.2 install
 
We are in the process of setting up a new install of BES 5.0.2 on a new VM that we will eventually transport our users to from the old 4.1.7 BES. We are getting some access denied permissions when trying to set the send as permissions on the BESAdmin account per the pre-upgrade tasks document.

To set the permissions at the organizational unit level, type Add-ADPermission -InheritedObjectType User -
InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity
"OU=<organizational_unit>,DC=<domain_1>,DC=<domain _2>,DC=<domain_3>" where <domain_1>,
<domain_2>, and <domain_3> form the name of the domain.
For example, if the organizational unit is Texas and the domain name is example.organization.net, type Texas for
<organizational_unit>, example for <domain_1>, organization for <domain_2>, and net for <domain_3>.

Referenced from (beginning on page 22)

http://docs.blackberry.com/en/admin/...1-5.0.2-US.pdf

The error we recieve is:

Quote:

Active Directory operation failed on dc1.domain.com. This error is not retriable. Additional information: Access
is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : D29B4D32,Microsoft.Exchange.Management.RecipientTa sks.AddADPermission
Any thoughts?

RadHaz75 10-19-2010 08:04 PM

it looks like the account you are trying to make the changes with doesn't have the rights to make the changes (e.g. INSUFF_ACCESS_RIGHTS). try assigning the perms with an account that is domain admin.

BB-Tech support 10-20-2010 08:17 AM

Quote:

Originally Posted by rpfeffer (Post 1666107)
We are in the process of setting up a new install of BES 5.0.2 on a new VM that we will eventually transport our users to from the old 4.1.7 BES. We are getting some access denied permissions when trying to set the send as permissions on the BESAdmin account per the pre-upgrade tasks document.

To set the permissions at the organizational unit level, type Add-ADPermission -InheritedObjectType User -
InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity
"OU=<organizational_unit>,DC=<domain_1>,DC=<domain _2>,DC=<domain_3>" where <domain_1>,
<domain_2>, and <domain_3> form the name of the domain.
For example, if the organizational unit is Texas and the domain name is example.organization.net, type Texas for
<organizational_unit>, example for <domain_1>, organization for <domain_2>, and net for <domain_3>.

Referenced from (beginning on page 22)

http://docs.blackberry.com/en/admin/...1-5.0.2-US.pdf

The error we recieve is:



Any thoughts?


Is Excange new installation as well ??
Are you trying to apply Ex managemant shell command as domain admin.

Look at this KB article KB02276-Assign permissions for a BlackBerry Enterprise Server service account

rpfeffer 10-20-2010 08:48 AM

Quote:

Originally Posted by BB-Tech support (Post 1666318)
Is Excange new installation as well ??
Are you trying to apply Ex managemant shell command as domain admin.

Look at this KB article KB02276-Assign permissions for a BlackBerry Enterprise Server service account

that is exactly what we were doing. Should it not be a domain admin?

BB-Tech support 10-20-2010 08:57 AM

Quote:

Originally Posted by rpfeffer (Post 1666329)
that is exactly what we were doing. Should it not be a domain admin?

No
Because if BESAdmin is domain admin send as permission can be revoked
BESAdmin can be only domain admin (KB04707-Unable to send email messages because the Send As permission has been revoked)
and local admin on server box where bes is installing
and ALWAYS log as BESAdmin when you do any upgrades to BES or installation of MR-s
Is you planing to install Service Pack 1 Interim Security Software Update
You have to perform that update as a built in admin (not domain admin, enterprise admin or BESAdmin)

BB-Tech support 10-20-2010 09:00 AM

Quote:

Originally Posted by rpfeffer (Post 1666329)
that is exactly what we were doing. Should it not be a domain admin?

If you need help just ask
I am installing bes 4.1.6 for some BESMgmt database testing, and i will be here for another hour

rpfeffer 10-20-2010 09:50 AM

Quote:

Originally Posted by BB-Tech support (Post 1666334)
No
Because if BESAdmin is domain admin send as permission can be revoked
BESAdmin can be only domain admin (KB04707-Unable to send email messages because the Send As permission has been revoked)
and local admin on server box where bes is installing
and ALWAYS log as BESAdmin when you do any upgrades to BES or installation of MR-s
Is you planing to install Service Pack 1 Interim Security Software Update
You have to perform that update as a built in admin (not domain admin, enterprise admin or BESAdmin)

ok...did I read that right? You said BESadmin can't be a domain admin, then on the next line said it can be a domain admin.

I am confused. It's not a domain admin, but we were trying to run the command in exchange management shell as another domain admin. The BESAdmin account, however, is not a domain admin.

That said, this is all on Exch2010 SP1.

BB-Tech support 10-20-2010 09:55 AM

Quote:

Originally Posted by rpfeffer (Post 1666366)
ok...did I read that right? You said BESadmin can't be a domain admin, then on the next line said it can be a domain admin.

I am confused. It's not a domain admin, but we were trying to run the command in exchange management shell as another domain admin. The BESAdmin account, however, is not a domain admin.

That said, this is all on Exch2010 SP1.

Sorry bud

Can be ONLY domain user
Sorry typing mistake

rpfeffer 10-20-2010 12:44 PM

ok. We still can't use this command, not even if logged in as besadmin and running the command shell with elevated privileges.

RadHaz75 10-20-2010 03:46 PM

Quote:

Originally Posted by rpfeffer (Post 1666452)
ok. We still can't use this command, not even if logged in as besadmin and running the command shell with elevated privileges.

you need to run the command USING an account with domain admin rights (such as yours if you have it) AGAINST the !besadmin account.

as previously stated the !besadmin account should not be a domain admin so you won't be able to make the changes using that account.


All times are GMT -5. The time now is 05:48 AM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, vBulletin Solutions Inc.