Solved

Need an easy way to change security on all AD users

Posted on 2009-07-06
2
288 Views
Last Modified: 2012-05-07
Hi, I just installed BlackBerry Enterprise Server. Part of the install requires granting the besadmin AD account "SendAs" permission to the root of Active Directory.

After I did this I found that the permission was not propagating down to the users. The only way I have found to fix is to go to each user and check the box to allow inheritable permissions from the parent to propagate to this object.

I need an easier way to make this change to ALL of my users at once. The users are spread around in many OUs. I cannot afford to set this on a user by user basis.

Thanks!
0
Comment
Question by:susnewyork
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 20

Accepted Solution

by:
EndureKona earned 250 total points
ID: 24786998
 I usually run an command on the DC to setup send as permissions, BUT this can take up to 90 minutes to take place.

dsacls "cn=adminsdholder,cn=system,dc=youraddomain,dc=local" /G "Domain\BESadmin:CA;Send As"  
0
 
LVL 20

Assisted Solution

by:EndureKona
EndureKona earned 250 total points
ID: 24787094
I usually do this on all the BES servers I work on.    

dsacls in part of the support tools.    I usually stop the BES router service for 20 minutes after running the command.

As you probably figure you need to customize:

dc=youraddomain
dc=local
Domain\BESadmin    
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question