We help IT Professionals succeed at work.

Members of Domain Admins (Protected Group) can not send e-mail from Blackberry. We DID add Send As to the AdminSDHolder object,

I have followed ALL RIM support documents and verified ALL permissions in Exchange, AD, and BES, and I still cannot send e-mail from a Blackberry if the user is a member of a protected group (in this case, domain admins).

I add our BESAdmin account to the AdminSDHolder object and gave it "Send As" permissions. This added it to all of our domain admins and it no longer removes itself after an hour or so.

However, I am still unable to send. I've rebooted the BES, restarted the Information Store on Exchange, shut the BB Router service off for 20min, 2 hours, you name it. I've shut the BB devices themselves off for 2 hours... still no luck.

If I shut the Router service off and then back on... I can send e-mail for about 20min, and then it stops again.

This just started happening recently (apparently from a MS update). I've read all of the threads here to no avail. Any suggestions? Is adding "Send As" to the AdminSDHolder object the same as running that DCACLS.exe tool? I have NOT run that yet since I thought it was the same thing.

THANKS!
Comment
Watch Question

BESAdmin CANNOT be a member of domain admins group.  It wont work until you remove BESAdmin membership of Domain Admins
Gary CutriData & Communications Specialist

Commented:
I would still try running the DCACLS command.  When you try and send an email and it gets the red X you need to open that message and note the error message at the top.  I assume you will see "Desktop email program unable to submit message " which indicate that your changes to the AdminSDHolder object didn't apply correctly.
Gary CutriData & Communications Specialist

Commented:
I actually ran the DCACLS tool and (so far) it appears to have solved the issue. The 4 users that were experiencing this issue are still members of the Domain Admins group and are now able to send e-mail. So you can't just update the AdminSDHolder object in Windows. You have to run that command-line tool.

I'll keep an eye out and let you know if anything breaks again.

Thanks for all of your help.
Data & Communications Specialist
Commented:
"So you can't just update the AdminSDHolder object in Windows"

I have found running the DCACLS command is the only way to resolve this issue.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.