Link to home
Start Free TrialLog in
Avatar of dstoker509
dstoker509

asked on

BES 3.6 permissions

I am running BES 3.6 SP2+ in a soon to be AD/Exchange 2003 environment.

What are the minimum permissions for 1) the BES service account and 2) a BES Admin Group in AD/Exchange 2003?

I want the BES Admin Group to have the ability only to setup a user with a blackberry; not admin all of Exchange.

I need information specific to 3.6.

Thanks!
Avatar of JConchie
JConchie

Bes itself needs it's service account to have at least read and execute permissions on the exchange server (properties on the server within the Exchange system manager)

The BES admin console is entirely seperate from your exchange system manager....just give people access to the BES console and not to your exchange management console....they will be able to add BES users,(as long as the user already has an exchange mailbox) but will not be able to do anything at all with exchange/
Avatar of dstoker509

ASKER

What type of permissions will I need to give users with only the BES admin console in order to add BES users?  I also saw something about restricted BES admin console settings?

Thanks for your help.  While I have worked with Exchange for over 8 years in an Enterprise environment, I have thus far done a great job of avoiding Blackberry issues.
We are only running one BES, so we just have the admin console on one machine and access it both locally and through a terminal services desktop for remote access.

That seems to me to be the easist way to go if you want to give remote access admin powers to some users.....create a TS profile with the BES admin console on the remote desktop, then create a "BES admin" group with permissions to access that profile...and put whoever you wish in the group.
do you need more info before closing this question?
What type of AD Permissions are required just to add/remove BES devices, but not change the BES settings?  Same question in regards to exchange permissions.  Our organization requires string permissions giving tier 1 & 2 support staff only the necessary rights and nothing more.  With over 80000 users to support world-wide, we cannot afford to give everyone Full Admin rights.
You can't do this through AD....you can only restrict access to the BES management console.....and the BES management console is not granular enough to allow the kind of restriction you want......users who can access it can perform all functions on the console.....not way to give them partial control.
When a user accesses the BES Console, who's rights are they using to make changes?  The BES account or their own?  If their own, what rights are necessary?
I think maybe we are talking past each other here...  :-) ...you can install the BES management console on any desktop...either individual users, or put it on a Terminal Server desktop, with only the management console available to users to whom you grant access to the TS desktop.

The bad news, from your point of view, is that once a user has access to the BES console, there is no way to restrict what they do on that console.....they can perform any and all of the blackberry management tasks. The BES console is not a MMC and is not as granular as the MS tools.
ASKER CERTIFIED SOLUTION
Avatar of JConchie
JConchie

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I think that I got enough information to close this question.  I understood most of what you stated, but I was hoping for a better way to lock-down using group permissions rather than using Application configuration restrictions.  Our environment is so large that it becomes a hassle to manage it that way.  

Oh well, thanks for your help!
Not sure if you have used this, but the BES software includes a utility on the CD called SetAdminKey.exe.  If configures the BES console to function in one of three ways:
* Full Access Mode
* Policy Access Mode
* User Access Mode

Still not quite what I wanted, but it appears to be as close as it gets.  Also, since the application control is in the Current User hive of the registry, I can configure it through a TS profile for some but not all BES admins.

Here is a list of what each means:

User Access Mode (SetAdminKey.exe –r)
•      Disables all server functionality
•      Disables all server management properties other than the Control settings
•      Disables access to the IT Policy and the Mobile Data Service settings
•      The ability to add a new Blackberry Enterprise Server by access to New BlackBerry Server is disabled.
•      The ability to import a Blackberry Enterprise Server by access to Import BlackBerry Servers is disabled.
•      The ability to export a BlackBerry Enterprise Server by access to Export BlackBerry Servers is disabled.
•      Access to Other Tasks is disabled.
•      Access to the License tab is disabled.
•      Access to the Database tab is disabled.
•      Access to the Logging tab is disabled.
•      Access to the Advanced tab is disabled.
•      Access to the IT Policy Items tab is disabled.
•      Access to BlackBerry Enterprise Server Properties is disabled.
•      Access to Mobile Data Service Properties is disabled.
•      Access to Set as MDS Push Server is disabled.
•      Access to the Send All-Points-Bulletin (APB) option is disabled.
•      Access to IT Policy is disabled.
•      Access to the Start BlackBerry Server option is disabled.
•      Access to the Stop BlackBerry Server option is disabled.
•      Access to the Start Mobile Data Service option is disabled.
•      Access to the Stop Mobile Data Service option is disabled.
•      Access to the Enable Mobile Data Service option is disabled.
•      Access to the Disable Mobile Data Service option is disabled.
•      Access to enable or disable the Mobile Data Service is disabled.
•      Access to IT Admin commands is disabled.
•      Access to the IT Admin tab is disabled.

Policy Access Mode (SetAdminKey.exe –p)
•      Disables all server functionality other than IT Policy
•      Disables all server management properties other than the Control settings
•      Access to add a new Blackberry Enterprise Server using New BlackBerry Server is disabled.
•      Access to import a Blackberry Enterprise Server using Import BlackBerry Servers is disabled.
•      Access to export a BlackBerry Enterprise Server using Export BlackBerry Servers is disabled.
•      Access to Other Tasks is disabled.
•      Access to the License tab is disabled.
•      Access to the Database tab is disabled.
•      Access to the Logging tab is disabled.
•      Access to the Advanced tab is disabled.
•      Access to the BlackBerry Enterprise Server Properties is disabled (with the exception of the IT Admin tab).
•      Access to Mobile Data Service Properties is disabled.
•      Access to the Set as MDS Push Server option is disabled.
•      Access to the Send All-Points-Bulletin (APB) option is disabled.
•      Access to the Start BlackBerry Server option is disabled.
•      Access to the Stop BlackBerry Server option is disabled.
•      Access to the Start Mobile Data Service option is disabled.
•      Access to the Stop Mobile Data Service option is disabled.
•      Access to the Enable Mobile Data Service option is disabled.
•      Access to the Disable Mobile Data Service option is disabled.

Full Access Mode (SetAdminKey.exe –f)
•      All Existing functionality remains enabled.
Dstoker,
Thanks for the above....I wasn't aware of setadminkey.......once again, this shows the great strength of EE.....we all learn from each other in the course of addressing an issue.

Good luck in locking this down in a way that works for you......I'd be very interested in hearing from you sometime down the line about how it works out on a network your size.......how many BB users, BESs, do you have?
My back channel email is in my profile.
Thanks,
J
We have roughly 7000 blackberry devices global managed at 7 messaging centers.  We run multiple instances of BES on our servers to get beyond the 500 device limit per instance.

Looking at BES 4.0 soon which should relieve some of the cradling necessary from an Admin's standpoint.

We have local admins (ADUC only with specific OU rights only, would like to give them limited BES rights), corporate Helpdesk (ADUC only with specific global rights only) and corporate Engineering Support (ADUC, ESM, etc.., various rights based on experience)