Blackberry Professional 4.1.4.17 on Exchange 2003

SF_Colorado
SF_Colorado used Ask the Experts™
on
I have an Exchange 2003 server with Blackberry Professional loaded. We have two users on it. The one, was configured over a year ago, and his works fine sending and receiving. The new user we added can receive emails, but when she sends it gives her the notorious, dreaded Red X.

When first deployed she was a member of the Domain Admin group, by mistake, long story. I removed her from the group last week, and stopped the manager and connection service (not the Router service) for an hour... she never reported if it was working or not, so yesterday she text'd me to report that she has never been able to send. I double checked her group memberships, she is Domain Admin free... I then stopped the actual Router service (along with the manager and connection service) for 40 minutes... She still cannot send as of this morning.

The Blackberry account we have on the server is BPSadmin and she is a member of it with full mailbox access, same as the other user who can send.

At this point I am lost! Questions?

 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
If the user was previously a domain admin the "inherit permissions" check box would have been disabled under the security tab of the user's profile in active directory. Click on the advanced button to see the option.  Re-enabling this usually repairs the problem, but also make sure the send as permission is set for the blackberry account under the advanced section for the same user. The security tab is only available in active directory if you enable "advanced features" under view on the menu in AD.

Author

Commented:
Check all that over again... made changes. Do I need to stop the Blackberry Router service for ~20 minutes? Does the user need to do something on her end? Still not sending? Should I post any snippets from the logs?

Let me know
In this case you won't need to stop the router service. Do PIN to PIN tests work and have you verified the handheld is properly provisioned for enterprise data service? If you look in options > advanced options, is enterprise activation listed? Also make sure the user isn't part of any other admin groups.


~ CFJ
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Expert of the Quarter 2009
Expert of the Year 2009
Commented:
The simple fact is that if the user is or ever was, a member of a protected group, then the Send As permission will be removed - even if you remove the membership.

You will need to use one of the dacls workarounds to allow the account to be used with Blackberry.

Simon.

Commented:
This is one of those things that people way overcomplicate.  It's not that hard with exchange 2003.

Create a new user called BESadmin and ensure you create a mailbox. Ensure this user is ONLY a member of "Domain users"

Make BESadmin a local Administrator of the BES server  If BES server is a DC, DON'T Make it a domain admin, add it to the administrators group under the "Built-In" container.

Open Exchange System Manager and right mouse click on "DOMAINNAME (Exchange)" and select Delegate Control. Follow the steps and add BESadmin as an Exchange View Only Administrator.

Open Active Directory and from the View menu select "Advanced Features". Then go to each user that will be added to the BES and open their properties, go to the security tab and add the user BESadmin and add the security permission "Send As".


Easy peasy.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
adam1115 - you haven't understood the question.
This has nothing to do with the besadmin account.
The problem is with the besadmin account being granted Send As permssions to a user who is or was a member of a protected domain account. Exchange will remove the send as permission.

Simon.

Author

Commented:
I ran the DACLS and all... it listed a long list of changes "successfully"... I did this while the router was stopped... after I let it sit for 40 minutes... I realized that no messages have been forwarded in about 6 hours for either users... I can not remember what changes I tried earlier that would have screwed this whole thing up. Where should I start looking, changing, etc.

Thank you
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
The first thing to do is check whether Send As has been removed from the user permissions.
Otherwise go back through the besadmin permissions and ensure they are still set correctly.
I have seen it stop working until all of the Blackberry services have been restarted, so I would suggest that you do that as well.

Simon.

Author

Commented:
I know there has to be something stupid I am missing! I have double checked the permissions, stopped all the services for 30+ minutes, rebooted, slept a little and I still cannot seem to get either device to connect now!

Would it be advisable to maybe... uninstall Blackberry from the server... reboot. Wipe the handhelds clean... reboot them... and start over 100% fresh? Would I want to delete the BESADMIN accounts in hopes that the install will actually recreate them properly?

Any other ideas, comments, suggestion?? Anyone, Anyone, bueller, bueller!

sf
Top Expert 2013

Commented:
Perhaps double check all sendas permissions as per:
https://www.blackberry.com/blackberrytraining/web/SendAs/Source/video/sendAs.html
Page 25 shows the inherited permissions check box I referenced earlier.
However at this point it sounds more serious.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial