Solved

Using DSACLS to modify AdminSDHolder

Posted on 2009-07-10
5
1,028 Views
Last Modified: 2012-05-07
Ok, the short and simple of what I'm trying to do is set up a domain admin's account so that other people within the domain can send as that user.  Reason being is that whenever we have an event here, at the end of the night our folks will generate a report, and then send it off to our clients.  However, it needs to appear as though the report came directly from the owner, so need to have send as permissions for all these folks.  Easiest way that I've figured to do this is create a group that contains everyone that would need to send as the user, then add it to the security for them and check the 'send as' right.  Tricky part that I've run into is the user is a domain admin, so AdminSDHolder removes the group every hour.  I've done some reading and discovered I'll need to use dsacls to get around this.  With that in mind I came up with the following command:

dsacls "cn=AdminSDHolder,cn=system,dc=mydomain,dc=local" /G "netbiosdomain\user:CA;Send As"

What I'd like to know is wether or not I've figured this out right.  By running that command would that allow me to add the security group, check send as, and expect it to stick?  Most everything I've seen so far is in regard to service accounts for blackberries, so seemed a little different than what I'm going for.  Thanks!
0
Comment
Question by:sstoyer
  • 2
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
abraham808 earned 500 total points
ID: 24825982
Read this: http://support.microsoft.com/kb/907434
It should be fine.  Are you using any accounts from protected groups:

Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers?  

Those rights get reset.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 24826039
Check this MS KB for syntax
http://support.microsoft.com/kb/907434
0
 
LVL 10

Expert Comment

by:abraham808
ID: 24826050
oh yeah theres no space

SendAs
0
 

Author Comment

by:sstoyer
ID: 24826051
Yes, the user that I'm trying to add the rights to is a member of the domain admins group.
0
 

Author Comment

by:sstoyer
ID: 24826723
Ok, think I've had some success here, so gonna post my results for posterity :)  To get this to work correctly I had to run the commands from the kb article with the following line tacked onto the bottom:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=local" /G "\SENDAS:CA;Send As"

Where SENDAS is the group where I've added all the folks that need to send as the user.  After waiting an hour for the reset it looks like the security settings are gonna take.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now