[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1888
  • Last Modified:

User's security settings keep reverting back to previous settings

Hi all,

A user at my company has recently migrated to using a Blackberry device.  For this to work correctly they need to have the 'Send As' permission granted to the BESAdmin account used by the Blackberry Enterprise Server software.  No worries there.

I've granted the appropriate permissions and things work fine for a while.  Then, after a seemingly random period of time, the permissions I set are reverting back to what they were before I made the changes.  I'm setting inheritance on the account's security as the correct permissions are defined at the OU parent level and are being applied to everyone else in this user's OU.  They're getting the settings too but only for a while.

It's not Group Policy as I have the same policies applied to me and my Blackberry device works fine.  I've trawled through 'gpresult' to see any some settings are not being applied but everything looks fine there.  FRS, DNS and all other AD repliation-related aspects of our AD are working fine.  There are no scheduled tasks anywhere that might be changing these permissions - I thought that might be something setup by an admin before me but that's not the case.

How else can security settings revert back to previous settings if it's not Group Policy causing it and if the user's account has been told to inherit from the parent settings?

And, just to make things worse, it's our CEO's account with the problem ... yeesh.

Can anyone help or make suggestions?  It's worth 500 points to me so I'm willing to hear anything y'all have to say.  :)

Cheers
0
Number5ix
Asked:
Number5ix
  • 7
  • 3
  • 2
  • +1
1 Solution
 
kieran_bCommented:
Why not set the mailbox permissions on the exchange server itself, as opposed to an OU?

Give Besadmin sendas rights to every mailbox on the server.

http://www.petri.co.il/grant_full_mailbox_rights_on_exchange_2000_2003.htm (not exactly what you want to do, but a good guide on how it works)

>>And, just to make things worse, it's our CEO's account with the problem ... yeesh.

It always is :)
0
 
Malli BoppeCommented:
Go through these links has some useful info about domain admins accounts which has send as permissions.
http://support.microsoft.com/kb/912918
http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/833004619731/r/388001719731 
0
 
Number5ixAuthor Commented:
kieran_b: Thanks for your response.  :)  Unfortunately the article you reference in your comment grants the rights that our BESAdmin account already has, i.e. Full Mailbox Access to the CEO's account.

mboppe: Thanks for the links but unfortunately I've already read through those and they information they contain didn't help.  :(

Our Exchange server already has the Send As patch applied by the way.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Malli BoppeCommented:
Is the BESadmin account a domain admin.
 
0
 
Number5ixAuthor Commented:
mboppe: Nope, BESAdmin isn't a domain admin - it doesn't need to be.
0
 
Malli BoppeCommented:
yeah total agree with you just checking.
0
 
Number5ixAuthor Commented:
It's a weird problem, that's for sure.  I can't find anything that might be causing these changes ...
0
 
kieran_bCommented:
So hang on, if the permissions as per the petri link are correct, why do you care what shows on the user account?  I am assuming that bes is breaking, but just want to check :)
0
 
Number5ixAuthor Commented:
kieran_b: Hehe yes, BES is breaking but only for this 1 user.  The BESAdmin account already has Full Mailbox Access rights to the mailbox in question.  The 'Send As' permission on the user side of things is a requirement from the BES documentation and without I know that BES is unable to redirect email from Exchange to a BB device.  As I said before the permissions are set correctly for everyone else including other users in the same OU as this user.  I set inheritance and it corrects everything but that inheritance gets REMOVED after a random period of time - that's the part I can't work out.  :)
0
 
ALogvinCommented:
If this user is a domain admin, you need to add the permissions to the "adminSDHolder" object in active directory. the permissions on this object are forced upon the domain admins every hour to prevent people from messing around with those accounts.

dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=com" /G "domainname\BlackberrySA:CA;Send As"
0
 
Number5ixAuthor Commented:
ALogvin: Thanks for your reply.  None of the users involved in this implementation are Domain Admins though so this wouldn't apply to this situation.  A lot of people make the mistake of making their BESAdmin account a Domain Admin and therefore open up security holes so I can definitely understand your comment.  Thanks though!
0
 
Number5ixAuthor Commented:
ALogvin: Your comment has actually pointed me in the direction of what I think is probably the fix.  While the user in question is not a Domain Admin he was in the Enterprise Admins group (as well as Domain Controllers - can you believe that?)  This was obviously done by a previous administrator who has no idea how to look after AD but is almost definitely the cause of these issues.  If everything is ok shortly I'll come back and accept your answer.  Thanks again.
0
 
Number5ixAuthor Commented:
Solution wasn't the exact fix for my issue but assisted in finding the correct fix, i.e. removing the affected user from groups they shouldn't have been in.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 7
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now