• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 707
  • Last Modified:

Windows 2003 Domain + BlackBerry Enterprise Server: BESAdmin account is having problems sending on behalf of Administrator Accounts

Hey everyone,

I'm usually pretty good with this, but might need someone else to check it out for me.  I've got a BES Demo server that is having issues sending emails from the BB Handhelds.  We are a 2003 domain with Exchange 2003 servers.

RIM support states that its a MS issue from a hotfix that keeps accounts from logging in and sending mail on behalf of people's account that are domain administrator members.  There are a couple of work arounds from various KB articles, but I don't think they are working like they should.

Now the article that uses some scripts to fix and allow the BESAdmin account to send mail on behalf of the administrator member's accounts.

The scripts are as follows with the out come.  I am hoping that someone can catch something that I might be overlooking.  

Thanks a lot,
inverted



I've run the scripts as follows:

 

Script #1

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Send As"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Receive As"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Change Password"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Personal Information"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Phone and Mail Options"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Web Information"

 

Script #2

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Send As"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Receive As"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:CA;Change Password"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Personal Information"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Phone and Mail Options" dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\SELF:RPWP;Web Information"

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\BESAdmin:CA;Send As"

 

 

Result found by running: dsacls cn=adminsdholder,cn=system,dc=sonic,dc=com

 

 

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

 

C:\Documents and Settings\milton>dsacls cn=adminsdholder,cn=system,dc=sonic,dc=c

om

Access list:

{This object is protected from inheriting permissions from the parent}

Effective Permissions on this object are:

Allow NT AUTHORITY\Authenticated Users               SPECIAL ACCESS

                                                     READ PERMISSONS

                                                     LIST CONTENTS

                                                     READ PROPERTY

                                                     LIST OBJECT

Allow BUILTIN\Administrators                         SPECIAL ACCESS

                                                     DELETE

                                                     READ PERMISSONS

                                                     WRITE PERMISSIONS

                                                     CHANGE OWNERSHIP

                                                     CREATE CHILD

                                                     DELETE CHILD

                                                     LIST CONTENTS

                                                     WRITE SELF

                                                     WRITE PROPERTY

                                                     READ PROPERTY

                                                     LIST OBJECT

                                                     CONTROL ACCESS

Allow SONIC\Enterprise Admins                        SPECIAL ACCESS

                                                     READ PERMISSONS

                                                     WRITE PERMISSIONS

                                                     CHANGE OWNERSHIP

                                                     CREATE CHILD

                                                     DELETE CHILD

                                                     LIST CONTENTS

                                                     WRITE SELF

                                                     WRITE PROPERTY

                                                     READ PROPERTY

                                                     LIST OBJECT

                                                     CONTROL ACCESS

Allow SONIC\Domain Admins                            SPECIAL ACCESS

                                                     READ PERMISSONS

                                                     WRITE PERMISSIONS

                                                     CHANGE OWNERSHIP

                                                     CREATE CHILD

                                                     DELETE CHILD

                                                     LIST CONTENTS

                                                     WRITE SELF

                                                     WRITE PROPERTY

                                                     READ PROPERTY

                                                     LIST OBJECT

                                                     CONTROL ACCESS

Allow NT AUTHORITY\SYSTEM                            FULL CONTROL

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS

                                                     READ PERMISSONS

                                                     LIST CONTENTS

                                                     READ PROPERTY

                                                     LIST OBJECT

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS

                                                     LIST CONTENTS

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS

                                                     LIST CONTENTS

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for Remote A

ccess Information

                                                     READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for General

Information

                                                     READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for Group Me

mbership

                                                     READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for Account

Restrictions

                                                     READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access     SPECIAL ACCESS for Logon In

formation

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for Public I

nformation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for displayN

ame

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for Public I

nformation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for displayN

ame

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Cert Publishers                          SPECIAL ACCESS for userCert

ificate

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow BUILTIN\Windows Authorization Access Group     SPECIAL ACCESS for tokenGro

upsGlobalAndUniversal

                                                     READ PROPERTY

Allow BUILTIN\Terminal Server License Servers        SPECIAL ACCESS for terminal

Server

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Phone an

d Mail Options

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Web Info

rmation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Phone an

d Mail Options

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Web Info

rmation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow NT AUTHORITY\SELF                              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow Everyone                                       Change Password

Allow NT AUTHORITY\SELF                              Change Password

Allow NT AUTHORITY\SELF                              Send As

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow SONIC\BESAdmin                                 Send As

Allow NT AUTHORITY\SELF                              Send As

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow SONIC\BESAdmin                                 Send As

Allow NT AUTHORITY\SELF                              Send As

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow NT AUTHORITY\SELF                              Send As

Allow NT AUTHORITY\SELF                              Receive As

Allow NT AUTHORITY\SELF                              Change Password

Allow SONIC\BESAdmin                                 Send As

 

Permissions inherited to subobjects are:

Inherited to all subobjects

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS

                                                     LIST CONTENTS

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS

                                                     LIST CONTENTS

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for Public I

nformation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow S-1-5-21-781356282-4258199160-2314867737-1332  SPECIAL ACCESS for displayN

ame

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for Public I

nformation

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for Personal

 Information

                                                     WRITE PROPERTY

                                                     READ PROPERTY

Allow SONIC\Exchange Enterprise Servers              SPECIAL ACCESS for displayN

ame

                                                     WRITE PROPERTY

                                                     READ PROPERTY

 

The command completed successfully

0
inverted_2000
Asked:
inverted_2000
  • 4
  • 2
  • 2
1 Solution
 
cvvoodCommented:
Not to take the cop out, But if you got the Enterprise server, with the single license, you can just call Blackberry for 30 days.   I had the same issue and they just hooked me right up.....

Simply put, go to the head of your organization in Exchange, and add the send on behalf of for the entire domain....
0
 
inverted_2000Author Commented:
I did call RIM on the issue.  It didn't seem to correct the sending on behalf of problem.  I figured that someone can verify the "dsacls" results so I have something to go back to RIM with because they were "certain" that it is a sending on behalf of issue.
0
 
SembeeCommented:
Did RIM point you to the KB article that explains what is happening?
http://support.microsoft.com/default.aspx?kbid=912918

The ideal solution of course is to follow the security best practises and remove the Domain Admin permissions from those user accounts.

Simon.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
inverted_2000Author Commented:
You bet they did...I do need to restart the server with that information store on it... but I am wondering if that will make a difference.

I also have a hand full of accounts that have to be Domain Admins because they are admins.  I'll post a little more after I reboot the server

THanks for the input non-the-less,
inverted
0
 
SembeeCommented:
You don't need to be a domain admin because you are an admin.
The best practise for network security is to have two accounts - a regular account for day to day work with email and content on your workstation and then an admin account that is used when required. Using a workstation logged in as a domain admin these days is rather foolish because of the chaos it can cause.

Simon.
0
 
inverted_2000Author Commented:
The script was correct and I restarted the info store on the Exchange and it started working.



0
 
cvvoodCommented:
You probably only needed to restart the RUS Service, and it's dependent services.  But you received the same effect by rebooting the server entirely...

Glad to see it's working...

CvV
0
 
inverted_2000Author Commented:
Actually it was the Microsoft Exchange Information Store - that made sure that:

dsacls "cn=adminsdholder,cn=system,dc=sonic,dc=com" /G "\BESAdmin:CA;Send As"

took as a command.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now