BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 01-04-2007, 01:50 PM   #1 (permalink)
Thumbs Must Hurt
 
djbeenie's Avatar
 
Join Date: Feb 2005
Location: Jefferson Ga.
Model: 8900
PIN: 20F7C0E8
Carrier: TMO
Posts: 151
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default I have to vent! WTF is this crap!

Please Login to Remove!

Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003

Totaly had to change our enviroment today.

*Sigh* What a pain in the butt today, and with dealing with a huge virus outbreak.

Sorry I had to vent! haha
__________________
Pin: 20F7C0E8
TMO 8900 - Exchange 2007 SP1 - BES 4.1.6
Offline  
Old 01-04-2007, 01:51 PM   #2 (permalink)
Thumbs Must Hurt
 
djbeenie's Avatar
 
Join Date: Feb 2005
Location: Jefferson Ga.
Model: 8900
PIN: 20F7C0E8
Carrier: TMO
Posts: 151
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Related documentation for AdminSDHolder Protected Account:

Changed in your Environment for AdminSDHolder account is not support by BlackBerry.

The below documentation is only informational.

Livelink - Redirection

Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003
Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003

Protected Groups:
The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server

Delegated permissions are not available and inheritance is automatically disabled
Delegated permissions are not available and inheritance is automatically disabled

Description and Update of the Active Directory AdminSDHolder Object
Description and Update of the Active Directory AdminSDHolder Object

"Send on behalf" permission is not assigned to a user after you delegate access in Outlook
"Send on behalf" permission is not assigned to a user after you delegate access in Outlook

MS06-019: Vulnerability in Microsoft Exchange Server could allow remote code execution
MS06-019: Vulnerability in Microsoft Exchange Server could allow remote code execution

MS06-029: Vulnerability in Microsoft Exchange Server could allow script injection when Exchange Server runs Outlook Web Access
MS06-029: Vulnerability in Microsoft Exchange Server could allow script injection when Exchange Server runs Outlook Web Access

Versions Affected:
Exchange Server 2003 Service Pack 1 using store build 7233.51 or later
Exchange Server 2003 Service Pack 2 using store build 7650.23 or later
Exchange Server 2000 Service Pack 3 using store build 6619.4 or later

To grant Send As for a single account on all user accounts in an Active Directory domain or container, follow these steps:

1. Start the Active Directory Users and Computers management console.
2. On the View menu, make sure that the Advanced Features option is selected. If this option is not selected, the Security page will not be visible for domain and container objects.
3. Open the properties of the domain or container, and then click the Security page.
4. Click the Advanced button.
5. If the account that needs permission is not already listed, click Add, and then select the account. Otherwise double-click the account for editing.
6. In the Applies Onto list, click User Objects.
7. Grant the account Send As permission.
8. Click OK until you have exited and saved all changes.

Note Microsoft recommends that you do not use accounts that are members of protected groups for e-mail purposes. If you require the rights that are afforded to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group and one user account that is used for e-mail purposes and at all other times.

Enable inheritance on the AdminSDHolder container

Here is a link to more info on AdminSDHolder protected groups:
The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server

If you enable inheritance on the adminSDHolder container, all members of the protected groups have inherited permissions enabled. In terms of security functionality, this method reverts the behavior of the AdminSDHolder container back to the pre-Service Pack 4 functionality.
You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=AdminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container:
1. Right-click the container, and then click Properties.
2. Click the Security tab.
3. Click Advanced.
4. Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
5. Click OK, and then click Close.
The next time the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).

ADSIEdit.msc
Microsoft Corporation

If you change the rights or the permissions on the adminSDHolder object for a protected account, a background task will undo the change within several minutes. For example, if you grant the Send As permission on a domain administrator object for an application service account, the background task will automatically revoke the permission.
Note You can control the frequency at which the AdminSDHolder object updates security descriptors by modifying the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NTDS\Parameters\AdminSDProtectFrequency
The default value for the AdminSDProtectFrequency registry entry is 60 minutes. Valid values range from 1 to 120 minutes. You can modify this value if you want to control the frequency for testing purposes.

Therefore, you cannot grant the Send As permission to an application service account for an account that is protected by the adminSDHolder object unless you change the adminSDHolder object itself. If you do change the adminSDHolder object, this will change the access permissions for all protected accounts. You should only change the adminSDHolder object after a complete review of the security implications that may occur with the change.
__________________
Pin: 20F7C0E8
TMO 8900 - Exchange 2007 SP1 - BES 4.1.6
Offline  
Old 01-04-2007, 01:57 PM   #3 (permalink)
Retired BBF Moderator
 
paulbblc's Avatar
 
Join Date: Oct 2005
Location: Twin Cities, MN
Model: ip 3g
PIN: 8675309
Carrier: AT&T
Posts: 3,555
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

*moved to Rants and Raves*
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.