Members of Domain Admins (Protected Group) can not send e-mail from Blackberry. We DID add Send As to the AdminSDHolder object,

I have followed ALL RIM support documents and verified ALL permissions in Exchange, AD, and BES, and I still cannot send e-mail from a Blackberry if the user is a member of a protected group (in this case, domain admins).

I add our BESAdmin account to the AdminSDHolder object and gave it "Send As" permissions. This added it to all of our domain admins and it no longer removes itself after an hour or so.

However, I am still unable to send. I've rebooted the BES, restarted the Information Store on Exchange, shut the BB Router service off for 20min, 2 hours, you name it. I've shut the BB devices themselves off for 2 hours... still no luck.

If I shut the Router service off and then back on... I can send e-mail for about 20min, and then it stops again.

This just started happening recently (apparently from a MS update). I've read all of the threads here to no avail. Any suggestions? Is adding "Send As" to the AdminSDHolder object the same as running that DCACLS.exe tool? I have NOT run that yet since I thought it was the same thing.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BESAdmin CANNOT be a member of domain admins group.  It wont work until you remove BESAdmin membership of Domain Admins
Gary CutriData & Communications SpecialistCommented:
I would still try running the DCACLS command.  When you try and send an email and it gets the red X you need to open that message and note the error message at the top.  I assume you will see "Desktop email program unable to submit message " which indicate that your changes to the AdminSDHolder object didn't apply correctly.
Gary CutriData & Communications SpecialistCommented:
Robinson_EngineeringAuthor Commented:
I actually ran the DCACLS tool and (so far) it appears to have solved the issue. The 4 users that were experiencing this issue are still members of the Domain Admins group and are now able to send e-mail. So you can't just update the AdminSDHolder object in Windows. You have to run that command-line tool.

I'll keep an eye out and let you know if anything breaks again.

Thanks for all of your help.
Gary CutriData & Communications SpecialistCommented:
"So you can't just update the AdminSDHolder object in Windows"

I have found running the DCACLS command is the only way to resolve this issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.