Send as permission for Blackberry being revoked on Admin Account

Linked question

http://www.experts-exchange.com/Applications/Q_22070333.html

I guess this is part of a security patch from MS but when I apply a SEND AS permission or inherit rights for this from the OU, about 1 hour later the permissions are removed and no longer is the account inheriting rights from the OU it sits in.

I have tested with normal accounts and they seem to keep thie settings. This acount i fnot part of the admins group is fine, but as soon as you add the domain admin everything falls apart.

Can anyone advise of a way to allow an account with domain admin privileges to keep the send as permission?

Environment is Win2k r2, Exchange 2003 SP2 fully patched. client gets mail via blackberry device ent server.
LVL 1
cbpeeCTOAsked:
Who is Participating?
 
SembeeConnect With a Mentor Commented:
There was a behaviour change.

http://support.microsoft.com/default.aspx?kbid=912918

If you are part of a protected group (ie domain admins) then the Send As permission will be removed.

Simon.
0
 
redseatechnologiesCommented:
Hi cbpee,

I may be over simplifying this, but have you missed the obvious?

Domain Admins are denied by default, here is the way to resolve that

http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm

-red
0
 
cbpeeCTOAuthor Commented:
Can anyone tell me if the send as permission is removed just the once as part of the service pack or patch application or if it continues to remove the function each time the AD sync's.

As I mentioned my issues is not how to allow the right it's how to keep it allowed as after a set period of time the send as right just disappears.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
SembeeCommented:
It will be constantly removed.

Simon.
0
 
cbpeeCTOAuthor Commented:
SOAB - Dam you MS Dam you to hell.

0
 
SembeeCommented:
Microsoft have made a change that has been requested by their customers.
If you follow the best practises of domain management you should not have domain admin rights on your personal account. You should have a special administrator account that is used for administrator privileges. The evidence of this model is very evident in Windows Vista.

It just means you have to adjust your working practises, for the better.

Simon.
0
 
cbpeeCTOAuthor Commented:
Yes I agree - but it's still a pain that you are forced to adopt it. i think we shoudl be given the option to be less secure if we choose to.

Security is always a trade off.
0
 
SembeeCommented:
If given a choice, everyone will go for the least secure option because it makes life easier.

Microsoft are between a rock and hard place. If they increase the security of their products they are condemned for making the administrator's harder, if they don't, then people complain.

You will have to live with this change. It isn't new, it was made at the beginning of this year and was made following extensive consultations with third parties who would be impacted - hence that long KB article.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.