Windows 2003 Domain + BlackBerry Enterprise Server: BESAdmin account is having problems sending on behalf of Administrator Accounts

Hey everyone,

I'm usually pretty good with this, but might need someone else to check it out for me.  I've got a BES Demo server that is having issues sending emails from the BB Handhelds.  We are a 2003 domain with Exchange 2003 servers.

RIM support states that its a MS issue from a hotfix that keeps accounts from logging in and sending mail on behalf of people's account that are domain administrator members.  There are a couple of work arounds from various KB articles, but I don't think they are working like they should.

Now the article that uses some scripts to fix and allow the BESAdmin account to send mail on behalf of the administrator member's accounts.

The scripts are as follows with the out come.  I am hoping that someone can catch something that I might be overlooking.  

Thanks a lot,
inverted



I've run the scripts as follows:

 

Script #1

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Send As"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Receive As"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Change Password"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Personal Information"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Phone and Mail Options"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Web Information"

 

Script #2

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Send As"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Receive As"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Change Password"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Personal Information"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Phone and Mail Options" dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Web Information"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\BESAdmin:CA;Send As"

 

 

Result found by running: dsacls cn=adminsdholder,cn=system,dc=sonic,dc=com

 

 

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

 

C:\Documents and Settings\milton>dsacls cn=adminsdholder,cn=system,dc=sonic,dc=c

om

Access list:

{This object is protected from inheriting permissions from the parent}

Effective Permissions on this object are:

Allow NT AUTHORITY\Authenticated Users               SPECIAL ACCESS

                                                     READ PERMISSONS

                                                     LIST CONTENTS

                                                     READ PROPERTY

                                                     LIST OBJECT

Allow BUILTIN\Administrators                         SPECIAL ACCESS

                                                     DELETE

                                                     READ PERMISSONS

                                                     WRITE PERMISSIONS

                                                     CHANGE OWNERSHIP

                                                     CREATE CHILD

                                                     DELETE CHILD

                                                     LIST CONTENTS

                                                     WRITE SELF

                                                     WRITE PROPERTY

                                                     READ PROPERTY

                                                     LIST OBJECT

                                                     CONTROL ACCESS

Allow SONIC\Enterprise Admins                        SPECIAL ACCESS

                                                     READ PERMISSONS

                                                     WRITE PERMISSIONS

                                                     CHANGE OWNERSHIP

                                                     CREATE CHILD

                                                     DELETE CHILD

                                                     LIST CONTENTS

                                                     WRITE SELF

                                                     WRITE PROPERTY

                                                     READ PROPERTY

                                                     LIST OBJECT

                                                     CONTROL ACCESS

Allow SONIC\Domain Admins                            SPECIAL ACCESS

                                                     READ PERMISSONS

                                                     WRITE PERMISSIONS

                                                     CHANGE OWNERSHIP

                                                     CREATE CHILD

                                                     DELETE CHILD

                                                     LIST CONTENTS

                                                     WRITE SELF

                                                     WRITE PROPERTY

                                                     READ PROPERTY

                                                     LIST OBJECT

                                                     CONTROL ACCESS

Allow NT AUTHORITY\SYSTEM                            FULL CONTROL

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS

                                                     READ PERMISSONS

                                                     LIST CONTENTS

                                                     READ PROPERTY

                                                     LIST OBJECT

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS

                                                     LIST CONTENTS

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS

                                                     LIST CONTENTS

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for Remote A

ccess Information

                                                     READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for General

Information

                                                     READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for Group Me

mbership

                                                     READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for Account

Restrictions

                                                     READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for Logon In

formation

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for Public I

nformation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for displayN

ame

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for Public I

nformation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for displayN

ame

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Cert Publishers                          SPECIAL ACCESS for userCert

ificate

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow BUILTIN\Windows Authorization Access Group     SPECIAL ACCESS for tokenGro

upsGlobalAndUniversal

                                                     READ PROPERTY

Allow BUILTIN\Terminal Server License Servers        SPECIAL ACCESS for terminal

Server

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Phone an

d Mail Options

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Web Info

rmation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Phone an

d Mail Options

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Web Info

rmation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow Everyone                                       Change Password

Allow NT AUTHORITY\SELF                              Change Password

Allow NT AUTHORITY\SELF                              Send As

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow SONIC\BESAdmin                                 Send As

Allow NT AUTHORITY\SELF                              Send As

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow SONIC\BESAdmin                                 Send As

Allow NT AUTHORITY\SELF                              Send As

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow NT AUTHORITY\SELF                              Send As

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow SONIC\BESAdmin                                 Send As

 

Permissions inherited to subobjects are:

Inherited to all subobjects

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS

                                                     LIST CONTENTS

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS

                                                     LIST CONTENTS

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for Public I

nformation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for displayN

ame

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for Public I

nformation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for displayN

ame

                                                     WRITE PROPERTY

                                                     READ PROPERTY

 

The command completed successfully

LVL 2
inverted_2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cvvoodCommented:
Not to take the cop out, But if you got the Enterprise server, with the single license, you can just call Blackberry for 30 days.   I had the same issue and they just hooked me right up.....

Simply put, go to the head of your organization in Exchange, and add the send on behalf of for the entire domain....
0
inverted_2000Author Commented:
I did call RIM on the issue.  It didn't seem to correct the sending on behalf of problem.  I figured that someone can verify the "dsacls" results so I have something to go back to RIM with because they were "certain" that it is a sending on behalf of issue.
0
SembeeCommented:
Did RIM point you to the KB article that explains what is happening?
http://support.microsoft.com/default.aspx?kbid=912918

The ideal solution of course is to follow the security best practises and remove the Domain Admin permissions from those user accounts.

Simon.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

inverted_2000Author Commented:
You bet they did...I do need to restart the server with that information store on it... but I am wondering if that will make a difference.

I also have a hand full of accounts that have to be Domain Admins because they are admins.  I'll post a little more after I reboot the server

THanks for the input non-the-less,
inverted
0
SembeeCommented:
You don't need to be a domain admin because you are an admin.
The best practise for network security is to have two accounts - a regular account for day to day work with email and content on your workstation and then an admin account that is used when required. Using a workstation logged in as a domain admin these days is rather foolish because of the chaos it can cause.

Simon.
0
inverted_2000Author Commented:
The script was correct and I restarted the info store on the Exchange and it started working.



0
cvvoodCommented:
You probably only needed to restart the RUS Service, and it's dependent services.  But you received the same effect by rebooting the server entirely...

Glad to see it's working...

CvV
0
inverted_2000Author Commented:
Actually it was the Microsoft Exchange Information Store - that made sure that:

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\BESAdmin:CA;Send As"

took as a command.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.