Solved

Send As permissions not propagating to the exchange store?

Posted on 2008-10-13
10
6,875 Views
Last Modified: 2012-05-05
After a new installation of BES 4.1.4 and going through all of the KB articles and how-to's on ensuring that the Send As permissions are created correctly, we still are unable to send an email as another user.  The rights are set-up correctly and I have trouble-shot this issue extensively with RIM, this is defiantly not a set-up issue on the BES server side, yet when attempting to send an email from a blackberry we still receive the red X when attempting to send emails from the blackberry device.

Although the issue that we are experiencing screams that this is a simple issue of send as not being set-up correctly, we have gone over it no less than 15 times and it is not a permissions issue from what I can tell.  As a test we created 2 test accounts that are not affected by any GPOs or   restrictions and the Send As does not allow the email to be sent through outlook, so this would appear to be an exchange issue, and not a blackberry issue.

Does anyone know of a reason that even with the correct permissions set through AD, users would still not be able to Send As other accounts?  

Relevant Event Logs :
ID : 20265
Source : BB Messaging Agent
{BBTEST@ourdomain.com} MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed

(Again the send as permission ARE correct and this has even been verified by RIM)

ID : 20000
Source : MNGR
[ExchangeAdaptorDLL::Initialize] Failed to open default message store, result=0x8004011d.

(Not sure if this is tied to the same issue, but I can not find much information to go along with this error and it appears after attempting to send a message from a blackberry.)

Any ideas?
0
Comment
Question by:Azyre
  • 5
  • 4
10 Comments
 
LVL 11

Expert Comment

by:ALogvin
ID: 22706906
I've opened hundreds of cases with RIM. Trust me when i say this... they are only human, and can be wrong too. Based on the information I see here, your BES account does not have the correct permissions.

Here is the BEST way to test.

Log into your BES. Go to the following directory w/ Command Prompt:
C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Utility

There is an app there called IEMSTest.exe run this. It will pop up a prompt asking which MAPI profile you want to use... chose the one you created for your BES Account. Next it will show your address book.. pick a user who is failing to work.

It will run several tests, and spit out the results. This process has absolutely NOTHING to do with BES, it is a simply MAPI test to verify permissions. If it reports errors, i promise you this is a permissions issue.

0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22707425
If the users in question are members of any protected groups within Active Directory, such as Account Operators, Backup Operators, or Domain Admins, this behavior is expected and by design.

If this is the case, see the following for details and potential workarounds:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
http://support.microsoft.com/kb/907434
0
 
LVL 3

Author Comment

by:Azyre
ID: 22707531
They are not members of any groups, that has been checked multiple times, and we even went so far as to create 2 users from scratch outside of any OU's to attempt to get this to work.  The send as right is on the account, and I'm pretty knowledgeable on AD rights, the send as right is set up correctly and is viable on the user container (though that does;t mean that the right has actually been applied.  


Alogvin,
I'll check that utility tomorrow, crazy how RIM never even told me to run it, they were attempting to dump me off on Microsoft, and I really didn't feel like getting in the middle of a finger pointing match.
0
 
LVL 3

Author Comment

by:Azyre
ID: 22710584
I ran that utility and it bombs with the following error.  It's similar to the MNGR error posted above.  an clue on how to alleviate the permission error it's spitting?  Google and RIM both don;t seem to have any relevant information for this one.

C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Utility>iemstes
t.exe
BlackBerry Enterprise Server Utility - IEMSTest.exe (IExchangeManageStore), Vers
ion 1.0
Copyright (c) Research In Motion, Ltd. 1999. All rights reserved.
OpenMsgStore() for this profile failed (8004011d)
0
 
LVL 11

Expert Comment

by:ALogvin
ID: 22711657
Well that does prove it is a permissions issue at least. Now to figure out where to go from there ;)

I know you said the permissions were right. I dont want you to think im calling you out here, but all of the evidence does point to that being the case.

Lets check.
Open Exchange System Manager. Expand until you see your Exchange server, right-click on it and hit Properties.
Click on the Security tab, and look for your BES Admin account. Click on it, and make sure these 3 items are checked: Administer Information Store, Send As, Receive As. Now, click on the Advanced button, and verify that the "Allow inheritable permissions from parent to propagate to this object and all child objects" is checked.


My guess is that checkbox under Advanced isnt checked right. Also, verify that the service account that the services on your BES are starting as is your BES Admin account. I've logged into my BES server as my domain profile on accident once during an upgrade and screwed that up ;)
0
 
LVL 3

Author Comment

by:Azyre
ID: 22711819
ALogvin,

All of those permission are there and set correctly.  The besadmin account has the send as permissions to the user's account, has exchange view administrator right set and they are propagating down to the mailbox level, and the the services are running as the besadmin account.  This has also been verified by RIM and another admin who is in my company so incorrect settings are pretty much ruled out.  It would appear that what is occurring is the fact that even though the right s appear to be set correctly, and even though the check marks are all in the correct location, the right are not being applied.  We have gone as far as restarting the mail store in an attempt to get the rights to actually take affect as they appear to be set correctly, but are still not actually being applied.  And again this is being tested currently with 2 test users created from scratch so it's not an issue of exchange stripping the send as permissions from the accounts either.  I really just feel like I'm running into a brick wall on this and don;t really know where to take the troubleshooting from here short of giving the ol' M$ a call...
0
 
LVL 11

Expert Comment

by:ALogvin
ID: 22711978
Ok. Log into your BES, and open up the Manager.

Now, open up your log directory, and open up the MNGR log. Do you see something like this:

[30145] (08/10 15:02:33):{0x908} Starting BlackBerry Manager - Version 4.0.5.6
[30146] (08/10 15:02:33):{0x908} Initializing the MailboxManager with profile BlackBerryServer
[40206] (08/10 15:02:33):{0x908} MailboxManager::SubsystemInitialize - Using MAPI profile 'BlackBerryServer'
[20137] (08/10 15:02:33):{0x908} MailboxManager::SubsystemInitialize - g_pSession->OpenMsgStore (0x8004011d)
[10160] (08/10 15:02:34):{0x908} A failure was encountered trying to initialize the BlackBerry Manager.



Maybe it is something wrong w/ the MAPI profile on your BES. That could be it too. If you see the above messages, delete your mapi profile and recreate it.
0
 
LVL 3

Author Comment

by:Azyre
ID: 22712263
Doesn't seem to be the issue either.

[30000] (10/14 11:25:56.995):{0x1F20} BlackBerry Manager Version 4.1.4.15 starting...
[30000] (10/14 11:25:57.010):{0x1F20} Mailstore Connector initialized.
0
 
LVL 3

Author Comment

by:Azyre
ID: 22720975
I'm going to close this question to remove the blackberry piece as this doesn't work through Exchange, and isn't a RIM issue, but a rights not propagating correctly issue.
0
 
LVL 11

Accepted Solution

by:
ALogvin earned 500 total points
ID: 22721433
I'm glad that you were able to focus your question down to an Exchange/AD issue, however several people (myself included) helped you reach this conclusion. You dont have to grant all of the assigned points, but we did spend our time to help you, and it would be a nice thing to do.
0

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now