Solved

Using DSACLS to modify AdminSDHolder

Posted on 2009-07-10
5
1,005 Views
Last Modified: 2012-05-07
Ok, the short and simple of what I'm trying to do is set up a domain admin's account so that other people within the domain can send as that user.  Reason being is that whenever we have an event here, at the end of the night our folks will generate a report, and then send it off to our clients.  However, it needs to appear as though the report came directly from the owner, so need to have send as permissions for all these folks.  Easiest way that I've figured to do this is create a group that contains everyone that would need to send as the user, then add it to the security for them and check the 'send as' right.  Tricky part that I've run into is the user is a domain admin, so AdminSDHolder removes the group every hour.  I've done some reading and discovered I'll need to use dsacls to get around this.  With that in mind I came up with the following command:

dsacls "cn=AdminSDHolder,cn=system,dc=mydomain,dc=local" /G "netbiosdomain\user:CA;Send As"

What I'd like to know is wether or not I've figured this out right.  By running that command would that allow me to add the security group, check send as, and expect it to stick?  Most everything I've seen so far is in regard to service accounts for blackberries, so seemed a little different than what I'm going for.  Thanks!
0
Comment
Question by:sstoyer
  • 2
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
abraham808 earned 500 total points
ID: 24825982
Read this: http://support.microsoft.com/kb/907434
It should be fine.  Are you using any accounts from protected groups:

Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers?  

Those rights get reset.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 24826039
Check this MS KB for syntax
http://support.microsoft.com/kb/907434
0
 
LVL 10

Expert Comment

by:abraham808
ID: 24826050
oh yeah theres no space

SendAs
0
 

Author Comment

by:sstoyer
ID: 24826051
Yes, the user that I'm trying to add the rights to is a member of the domain admins group.
0
 

Author Comment

by:sstoyer
ID: 24826723
Ok, think I've had some success here, so gonna post my results for posterity :)  To get this to work correctly I had to run the commands from the kb article with the following line tacked onto the bottom:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=local" /G "\SENDAS:CA;Send As"

Where SENDAS is the group where I've added all the folks that need to send as the user.  After waiting an hour for the reset it looks like the security settings are gonna take.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now