[rpfeffer]

We are in the process of setting up a new install of BES 5.0.2 on a new VM that we will eventually transport our users to from the old 4.1.7 BES. We are getting some access denied permissions when trying to set the send as permissions on the BESAdmin account per the pre-upgrade tasks document.

To set the permissions at the organizational unit level, type Add-ADPermission -InheritedObjectType User -
InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity
"OU=<organizational_unit>,DC=<domain_1>,DC=<domain _2>,DC=<domain_3>" where <domain_1>,
<domain_2>, and <domain_3> form the name of the domain.
For example, if the organizational unit is Texas and the domain name is example.organization.net, type Texas for
<organizational_unit>, example for <domain_1>, organization for <domain_2>, and net for <domain_3>.

Referenced from (beginning on page 22)

http://docs.blackberry.com/en/admin/...1-5.0.2-US.pdf

The error we recieve is:

Quote:

Active Directory operation failed on dc1.domain.com. This error is not retriable. Additional information: Access
is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : D29B4D32,Microsoft.Exchange.Management.RecipientTa sks.AddADPermission

Any thoughts?

[RadHaz75]

it looks like the account you are trying to make the changes with doesn't have the rights to make the changes (e.g. INSUFF_ACCESS_RIGHTS). try assigning the perms with an account that is domain admin.

[BB-Tech support]

Quote:

Originally Posted by rpfeffer

We are in the process of setting up a new install of BES 5.0.2 on a new VM that we will eventually transport our users to from the old 4.1.7 BES. We are getting some access denied permissions when trying to set the send as permissions on the BESAdmin account per the pre-upgrade tasks document.

To set the permissions at the organizational unit level, type Add-ADPermission -InheritedObjectType User -
InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity
"OU=<organizational_unit>,DC=<domain_1>,DC=<domain _2>,DC=<domain_3>" where <domain_1>,
<domain_2>, and <domain_3> form the name of the domain.
For example, if the organizational unit is Texas and the domain name is example.organization.net, type Texas for
<organizational_unit>, example for <domain_1>, organization for <domain_2>, and net for <domain_3>.

Referenced from (beginning on page 22)

http://docs.blackberry.com/en/admin/...1-5.0.2-US.pdf

The error we recieve is:



Any thoughts?

Is Excange new installation as well ??
Are you trying to apply Ex managemant shell command as domain admin.

Look at this KB article KB02276-Assign permissions for a BlackBerry Enterprise Server service account

[rpfeffer]

Quote:

Originally Posted by BB-Tech support

Is Excange new installation as well ??
Are you trying to apply Ex managemant shell command as domain admin.

Look at this KB article KB02276-Assign permissions for a BlackBerry Enterprise Server service account

that is exactly what we were doing. Should it not be a domain admin?

[BB-Tech support]

Quote:

Originally Posted by rpfeffer

that is exactly what we were doing. Should it not be a domain admin?

No
Because if BESAdmin is domain admin send as permission can be revoked
BESAdmin can be only domain admin (KB04707-Unable to send email messages because the Send As permission has been revoked)
and local admin on server box where bes is installing
and ALWAYS log as BESAdmin when you do any upgrades to BES or installation of MR-s
Is you planing to install Service Pack 1 Interim Security Software Update
You have to perform that update as a built in admin (not domain admin, enterprise admin or BESAdmin)

[BB-Tech support]

Quote:

Originally Posted by rpfeffer

that is exactly what we were doing. Should it not be a domain admin?

If you need help just ask
I am installing bes 4.1.6 for some BESMgmt database testing, and i will be here for another hour

[rpfeffer]

Quote:

Originally Posted by BB-Tech support

No
Because if BESAdmin is domain admin send as permission can be revoked
BESAdmin can be only domain admin (KB04707-Unable to send email messages because the Send As permission has been revoked)
and local admin on server box where bes is installing
and ALWAYS log as BESAdmin when you do any upgrades to BES or installation of MR-s
Is you planing to install Service Pack 1 Interim Security Software Update
You have to perform that update as a built in admin (not domain admin, enterprise admin or BESAdmin)

ok...did I read that right? You said BESadmin can't be a domain admin, then on the next line said it can be a domain admin.

I am confused. It's not a domain admin, but we were trying to run the command in exchange management shell as another domain admin. The BESAdmin account, however, is not a domain admin.

That said, this is all on Exch2010 SP1.

[BB-Tech support]

Quote:

Originally Posted by rpfeffer

ok...did I read that right? You said BESadmin can't be a domain admin, then on the next line said it can be a domain admin.

I am confused. It's not a domain admin, but we were trying to run the command in exchange management shell as another domain admin. The BESAdmin account, however, is not a domain admin.

That said, this is all on Exch2010 SP1.

Sorry bud

Can be ONLY domain user
Sorry typing mistake

[rpfeffer]

ok. We still can't use this command, not even if logged in as besadmin and running the command shell with elevated privileges.

[RadHaz75]

Quote:

Originally Posted by rpfeffer

ok. We still can't use this command, not even if logged in as besadmin and running the command shell with elevated privileges.

you need to run the command USING an account with domain admin rights (such as yours if you have it) AGAINST the !besadmin account.

as previously stated the !besadmin account should not be a domain admin so you won't be able to make the changes using that account.