Members of Domain Admins (Protected Group) can not send e-mail from Blackberry. We DID add Send As to the AdminSDHolder object,

Posted on 2008-01-25
Medium Priority
Last Modified: 2008-07-18
I have followed ALL RIM support documents and verified ALL permissions in Exchange, AD, and BES, and I still cannot send e-mail from a Blackberry if the user is a member of a protected group (in this case, domain admins).

I add our BESAdmin account to the AdminSDHolder object and gave it "Send As" permissions. This added it to all of our domain admins and it no longer removes itself after an hour or so.

However, I am still unable to send. I've rebooted the BES, restarted the Information Store on Exchange, shut the BB Router service off for 20min, 2 hours, you name it. I've shut the BB devices themselves off for 2 hours... still no luck.

If I shut the Router service off and then back on... I can send e-mail for about 20min, and then it stops again.

This just started happening recently (apparently from a MS update). I've read all of the threads here to no avail. Any suggestions? Is adding "Send As" to the AdminSDHolder object the same as running that DCACLS.exe tool? I have NOT run that yet since I thought it was the same thing.

Question by:Robinson_Engineering
  • 3

Expert Comment

ID: 20742585
BESAdmin CANNOT be a member of domain admins group.  It wont work until you remove BESAdmin membership of Domain Admins
LVL 26

Expert Comment

by:Gary Cutri
ID: 20744986
I would still try running the DCACLS command.  When you try and send an email and it gets the red X you need to open that message and note the error message at the top.  I assume you will see "Desktop email program unable to submit message " which indicate that your changes to the AdminSDHolder object didn't apply correctly.
LVL 26

Expert Comment

by:Gary Cutri
ID: 20744995

Author Comment

ID: 20745243
I actually ran the DCACLS tool and (so far) it appears to have solved the issue. The 4 users that were experiencing this issue are still members of the Domain Admins group and are now able to send e-mail. So you can't just update the AdminSDHolder object in Windows. You have to run that command-line tool.

I'll keep an eye out and let you know if anything breaks again.

Thanks for all of your help.
LVL 26

Accepted Solution

Gary Cutri earned 1500 total points
ID: 20745321
"So you can't just update the AdminSDHolder object in Windows"

I have found running the DCACLS command is the only way to resolve this issue.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Are you in the migration process of your Exchange to Exchange Online? Be aware of customized solutions developed on the transport role on your old Exchange server. They might not be convertible to Exchange Online!
Organisation is organized in a pattern to flow the day to day business, every application and system is interdepended on each other and when very important “Exchange Server downtime” happened.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question