Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Security Permissions keep disappearing!!!

Posted on 2006-11-10
6
Medium Priority
?
2,073 Views
Last Modified: 2012-06-27
Dont know whether this is the right place but here goes:

We have a 2000 domain with some 2003 servers in it as well. We have just installed a 2003 Exchange Ent Cluster which is working fine, however, it had SP2 installed and affected our Blackberry Server. We applied the SP2 hotfix and followed the instructions from the knowledge base and all seemed fine. Now we have tried to add another blackberry to the server and one of the actions is in the user profile in AD it to grant BES admin permissions to send as and receive as in the Security option. This is fine and the permissions are there and the blackberry works but after about 20 mins the permissions "disappear" and the blackberry is unable to send but can receive. I have changed it again and again and replicate but it still keeps happening and I dont know why it keeps losing the permissions. There are 3 DC on W2K Sever with all relevant patches etc applied. All the other blackberry's are working fine so I am at a loss. We have create a new user and that does the same thing. Does anyone have any idea why this is happening and what can be done to fix it?
0
Comment
Question by:goldsmithwilliams
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 17913242
This user is (or has been at one point) member of a "protected group" (Administrators, Account Operators, Server Operators, Print Operators, Backup Operators, Domain Admins, Schema Admins, Enterprise Admins, Cert Publishers); check here for details:
The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server
http://support.microsoft.com/?kbid=907434

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/?kbid=817433

AdminSDHolder Thread Affects Transitive Members of Distribution Groups
http://support.microsoft.com/?kbid=318180

Security tab of the adminSDHolder object does not display all properties
http://support.microsoft.com/?kbid=301188
0
 

Author Comment

by:goldsmithwilliams
ID: 17913302
While the send as etc is removed, should it remove the user from the list. I have removed users from the list which no longer exist (they being with S then a number) and added the BES admin user. After 20 mins or so the BESAdmin user disappears the users beginning S-xxx which no longer exist and were deleted reappear.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 17913816
Which "list" are you referring to?
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:goldsmithwilliams
ID: 17913843
The user profile in Active Director and the security tab when you add group or username access. I think what might be happening is permissions are not being inherited and overriden but thats just a thought.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1200 total points
ID: 17913891
Then it seems like someone changed the properties of the adminsdholder object (iirc, it's described in one of the articles above), and added the (now deleted) users; if a user is deleted, it remains still in the ACLs of any resource where it had permissions.
0
 
LVL 19

Expert Comment

by:bevhost
ID: 23494467
On our server Power Users were part of the Print Operators Group.
SO, Power Users were also having the BESAdmin group removed.

I also read that the exchange message store must be restarted before or wait two hours for the cache to be discarded before the user could send.  I guess I'll know in two hours. (and by then I'll be offsite not returning for 5 days)

See also
http://support.microsoft.com/kb/912918
Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question