IEMStest.exe No send as permission for ...

Hey,

In the users server profile add besadmin with send as permissions,

I will send the full instructions on how to do it when I find them

Here it is,

In particular, Point 2, but check all the permissions as stated

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB02276#Task%202

Brett

Hi blackberry created their own decision tree for the Send As issue.

here it is
http://na.blackberry.com/eng/support/software/sendas.jsp
--
Also
Check your bes services
start > run > services.msc

They should be logging in as
domain\besadmin

not local system account.

Please check that too.

thanks

sunny, I do have the services set to run with the besadmin account.  bpinning that was a good article I did do another command that I did not do before:

[PS] C:\>add-adpermission -inheritedobjecttype User -inheritancetype Descendent
 -ExtendedRights Send-As -user "besadmin" -identity "OU=CA,OU=KMO,DC=scope,DC=l
cal"

this is the OU where i have that Tracy Peters account.  The user is in the First Storage Group, 1st mailbox database.  Here is the get commands for Send As permissions:

[PS] C:\>get-exchangeadministrator |fl

Identity : scope.local/Users/BESAdmin
Scope    : Organization wide
Role     : ViewOnlyAdmin

[PS] C:\>get-mailboxserver "exchsrv2k7" | get-adpermission -user besadmin |fl


User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7
Deny                : False
AccessRights        : {Self, WriteProperty, GenericRead}
ExtendedRights      :
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {ms-Exch-Store-Admin}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {Receive-As}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {Send-As}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All


[PS] C:\>get-mailboxdatabase "EXCHSRV2K7\First Storage Group\1st Mailbox Databas
e" | get-adpermission -user besadmin |fl


User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7\First Storage Group\1st Mailbox Database
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {Send-As}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7\First Storage Group\1st Mailbox Database
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {Receive-As}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7\First Storage Group\1st Mailbox Database
Deny                : False
AccessRights        : {ExtendedRight}
ExtendedRights      : {ms-Exch-Store-Admin}
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

User                : SCOPE\BESAdmin
Identity            : EXCHSRV2K7\First Storage Group\1st Mailbox Database
Deny                : False
AccessRights        : {Self, WriteProperty, GenericRead}
ExtendedRights      :
IsInherited         : True
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

AND WHEN I RUN THE IEMSTEST.EXE I get the same result.  Can you catch the problem???

Can you use procedure 1 from here
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB12300

Let me give that a try...

Hows it going ?

Have not had a chance to get on this had some network issues to attend to on Friday.  And took a well needed 3 day off!  getting to it today.  will let you know.

I ran the setsendaspermission.exe utility on my own account and the Tracy Peters account:

C:\>setsendaspermission -a besadmin -u dmartinez@scop.net
Set the Send As Permission in Active Directory tool Version 4.1.2.14
Copyright (c) Research In Motion, Ltd. 2000-2007. All rights reserved.
Modification date: Mar  9 2007

[20000] (09:19:45.966):{0x1980} SMTP address: dmartinez@scop.net
[20000] (09:19:46.437):{0x1980} SUCCESS

C:\>setsendaspermission -a besadmin -u tpeters@scop.net
Set the Send As Permission in Active Directory tool Version 4.1.2.14
Copyright (c) Research In Motion, Ltd. 2000-2007. All rights reserved.
Modification date: Mar  9 2007

[20000] (09:19:54.870):{0x19A0} SMTP address: tpeters@scop.net
[20000] (09:19:55.260):{0x19A0} SUCCESS

and I still get the same thing on the iemstest.exe...

D:\tools>iemstest.exe
BlackBerry Enterprise Server Utility - IEMSTest.exe (IExchangeManageStore), Vers
ion 1.0
Copyright (c) Research In Motion, Ltd. 1999. All rights reserved.
Opening Default Message Store Mailbox - BESAdmin

Tracy Peters: Opening message store using
        /o=SCOPe/ou=First Administrative Group/cn=Recipients/cn=tpeters
        /o=SCOPe/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configura
tion/cn=Servers/cn=EXCHSRV2K7/cn=Microsoft Private MDB
Tracy Peters: Mailbox opened successfully
Tracy Peters: Root Folder opened successfully
Tracy Peters: Folder created successfully
Tracy Peters: Test folder deleted successfully
Tracy Peters: MAPI test completed successfully
Tracy Peters: CDO Server Name: EXCHSRV2K7
Tracy Peters: CDO Mailbox DN: /o=SCOPe/ou=First Administrative Group/cn=Recipien
ts/cn=tpeters
Tracy Peters: CDO logon successful
Tracy Peters: Get default calendar folder successful
Tracy Peters: Get calendar folder name successful: 'Calendar'
Tracy Peters: CDO test completed successfully
Tracy Peters: No Send As permission for the {SCOPE\besadmin} account operator.
Tracy Peters: Initializing EWS Proxy... successful
Tracy Peters: Configuring User... successful
Tracy Peters: EWS calendar find request... failed


I finished the installation of the Blackberry Enterprise express Server setup...  I am just about to start reading the Admin Guide, I have the slightest clue on how to use this...  But in the Installation and Configuration Guide states to run this before completing the installation (page 20).

Can you check this

Open Active Directory Users & Computers
Enable Advanced Features in AD (View, Advanced Features)
Double-click (open) your BESAdmin user
Security tab

See if you have send as / receive as perm's in AD
--
do not run dsacls first before confirming that

source:
http://www.waldrondigital.com/2010/03/04/cannot-activate-user-in-bes-express-iemstest-exe-fails-with-send-as-account-operator-error/

sunnyc7, first let me say thanks for helping me out,  I thought the Send As permission had to be on the object that you were going to have your besadmin send on behalf of... No I do not have the BESadmin account with send As permission.  See attached pictures.  What account in the ACL list to I add?  I add besadmin to the besadmin object???

no pictures here :(

please repost.

here is the picture of the ACL list on the besadmin object
ACL.bmp

I believe I am stuck in the deployment process.  I tried to assciate a device with my account a BlackBerry Bold phone via the BlackBerry Web Desktop Manager and all i get is: "The BlackBerry Web Desktop Manager is unable to complete this action. Please contact your administrator for more information."  I went to look at the RIM Logs and in the BES_CALH log shows this for my account:  

[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Service::TestAccessToMailbox Soap Exception caught: The server to which the application is connected cannot impersonate the requested user due to insufficient permission.
[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Diagnosis: The BES service account does not have impersonation rights on the CAS server.
[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Please consult the BES installation guide for Exchange Server configuration information.

I think I need to get the Send As working for my account so I can get it to work.  Any help or input would be greatful!

try this

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName - User (Get-User -Identity besadmin ¦ select-object).identity -ExtendedRights Send-As

see if it works

sunnyc7

Here is the result:

[PS] C:\>Add-ADPermission -Identity "CN=EXCHSRV2K7,CN=Servers,CN=Exchange Admin
strative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SCOPe,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=scope,DC=local"  -User besadmin -Exten
edRights Send-As
WARNING: Appropriate ACE is already present on object
"CN=EXCHSRV2K7,CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SCOPe,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=scope,DC=local" for account
"SCOPE\BESAdmin".

Identity             User                 Deny  Inherited Rights
--------             ----                 ----  --------- ------
EXCHSRV2K7           SCOPE\BESAdmin       False False     Send-As

It stated that it is already there...

ok
the error said the server cannot impersonate.

[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Service::TestAccessToMailbox Soap Exception caught: The server to which the application is connected cannot impersonate the requested user due to insufficient permission.
[30000] (09/07 15:49:32.291):{0x1A08} {dmartinez@scop.net} Diagnosis: The BES service account does not have impersonation rights on the CAS server.

and when you ran the impersonation cmdlet it says its already there.

Let me think through this.

PS: when did you last restart the server.

I restarted the Exchange Server last night.  And I just rebooted the BESX right now as you just posted your last remark.  I am going to wait the recomended 20 minutes and see if it works again.  Will post with results.

ok

Still the same result on the iemstest.exe  "No Send As permission for the SCOPE\besadmin account operator...  Any input would be greatly appreciated...

Can you download the send as permission tool from here and run it

http://www.blackberry.com/DST2007/patch/manager/SetSendAsPermission.exe

Source:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB12300

C:\>setsendaspermission.exe -a besadmin -u dmartinez@scop.net
Set the Send As Permission in Active Directory tool Version 4.1.2.14
Copyright (c) Research In Motion, Ltd. 2000-2007. All rights reserved.
Modification date: Mar  9 2007

[20000] (08:33:09.629):{0x09EC} SMTP address: dmartinez@scop.net
[20000] (08:33:10.120):{0x09EC} SUCCESS

D:\tools>iemstest.exe
BlackBerry Enterprise Server Utility - IEMSTest.exe (IExchangeManageStore), Ver
ion 1.0
Copyright (c) Research In Motion, Ltd. 1999. All rights reserved.
Opening Default Message Store Mailbox - BESAdmin

Dennis Martinez: Opening message store using
        /o=SCOPe/ou=First Administrative Group/cn=Recipients/cn=dmartinez
        /o=SCOPe/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configur
tion/cn=Servers/cn=EXCHSRV2K7/cn=Microsoft Private MDB
Dennis Martinez: Mailbox opened successfully
Dennis Martinez: Root Folder opened successfully
Dennis Martinez: Folder created successfully
Dennis Martinez: Test folder deleted successfully
Dennis Martinez: MAPI test completed successfully
Dennis Martinez: CDO Server Name: EXCHSRV2K7
Dennis Martinez: CDO Mailbox DN: /o=SCOPe/ou=First Administrative Group/cn=Reci
ients/cn=dmartinez
Dennis Martinez: CDO logon successful
Dennis Martinez: Get default calendar folder successful
Dennis Martinez: Get calendar folder name successful: 'Calendar'
Dennis Martinez: CDO test completed successfully
Dennis Martinez: No Send As permission for the {SCOPE\besadmin} account operato
.
Dennis Martinez: Initializing EWS Proxy... successful
Dennis Martinez: Configuring User... successful
Dennis Martinez: EWS calendar find request... failed

did it work ?

can you try
iemstest.exe

Still failed...

Can you try this

for the besadmin account - check the user is a member of which groups in AD ?
Can you keep it to - just Administrators / Domain Admins and domain users

Remove all other memberships please.

and lets try again.

thanks

Also
Do you have the latest MAPI/CDO for BES ?
What version of MAPI/CDO are you running right now ?

Version 6.5.8165.0

But it says Messaging API and Collaboration Data Object 1.2.1

Sunnyc7

I do appreciate all the help you have given me.  We just had our semi-annual Marketing meeting and we all decided to go with DroidX as their mobile devices and will move away from Blackberries so no need for BESX.  So we can forget about this issue!   Quick question based what you have seen throughout this thread do you believe it was something I missed on the setup or is this some wierd issue.  I did find tha my account is part of the Enterprise Admin so the AdminSDHolder issue does effect my accont but the regular test account of Tracy Peters is just part of the Domain Users Account and the BESAdmin still has the Send As permission but the iemstest.exe still states that it does not have Send As permission.  Anyways thanks for all the help

Well believe me I am relieved that we will now go with AES and not BES! But I will accept your last input as a possible solution...

Did not actually resolve our issue but can direct admins to the right direction.

We went with AES devices and did not go with deploying BESX