Using DSACLS to modify AdminSDHolder

Ok, the short and simple of what I'm trying to do is set up a domain admin's account so that other people within the domain can send as that user.  Reason being is that whenever we have an event here, at the end of the night our folks will generate a report, and then send it off to our clients.  However, it needs to appear as though the report came directly from the owner, so need to have send as permissions for all these folks.  Easiest way that I've figured to do this is create a group that contains everyone that would need to send as the user, then add it to the security for them and check the 'send as' right.  Tricky part that I've run into is the user is a domain admin, so AdminSDHolder removes the group every hour.  I've done some reading and discovered I'll need to use dsacls to get around this.  With that in mind I came up with the following command:

dsacls "cn=AdminSDHolder,cn=system,dc=mydomain,dc=local" /G "netbiosdomain\user:CA;Send As"

What I'd like to know is wether or not I've figured this out right.  By running that command would that allow me to add the security group, check send as, and expect it to stick?  Most everything I've seen so far is in regard to service accounts for blackberries, so seemed a little different than what I'm going for.  Thanks!
sstoyerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

abraham808Commented:
Read this: http://support.microsoft.com/kb/907434
It should be fine.  Are you using any accounts from protected groups:

Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers?  

Those rights get reset.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SubsunCommented:
Check this MS KB for syntax
http://support.microsoft.com/kb/907434
0
abraham808Commented:
oh yeah theres no space

SendAs
0
sstoyerAuthor Commented:
Yes, the user that I'm trying to add the rights to is a member of the domain admins group.
0
sstoyerAuthor Commented:
Ok, think I've had some success here, so gonna post my results for posterity :)  To get this to work correctly I had to run the commands from the kb article with the following line tacked onto the bottom:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=local" /G "\SENDAS:CA;Send As"

Where SENDAS is the group where I've added all the folks that need to send as the user.  After waiting an hour for the reset it looks like the security settings are gonna take.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.