Using DSACLS to modify AdminSDHolder
Posted on 2009-07-10
Ok, the short and simple of what I'm trying to do is set up a domain admin's account so that other people within the domain can send as that user. Reason being is that whenever we have an event here, at the end of the night our folks will generate a report, and then send it off to our clients. However, it needs to appear as though the report came directly from the owner, so need to have send as permissions for all these folks. Easiest way that I've figured to do this is create a group that contains everyone that would need to send as the user, then add it to the security for them and check the 'send as' right. Tricky part that I've run into is the user is a domain admin, so AdminSDHolder removes the group every hour. I've done some reading and discovered I'll need to use dsacls to get around this. With that in mind I came up with the following command:
dsacls "cn=AdminSDHolder,cn=system,dc=mydomain,dc=local" /G "netbiosdomain\user:CA;Send As"
What I'd like to know is wether or not I've figured this out right. By running that command would that allow me to add the security group, check send as, and expect it to stick? Most everything I've seen so far is in regard to service accounts for blackberries, so seemed a little different than what I'm going for. Thanks!