• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

Blackberry Enterprise Send As Issues

I have little knowledge of exactly how Microsoft designed security but I take every opportunity I can to learn; my current issue though has not been a pleasant experience to say the least.  The short story is I'm migrating to BES 5.0.2 and I'm having issues with Send As which I'm sure is no shock to anyone, I mean RIM has a website dedicated to the exact issue (www.blackberry.com/sendas).  I setup the new BES with the suggested account, BESAdmin, and set the Send As permissions according to RIM's Install and Configuration Guide and verified the Send As permission was set at the top level but here's where the issue started.  I migrated two users over to the new BES box and right away they couldn't send from their handsets.  I went back into AD and noticed right away that Send As for BESAdmin had been revoked.  I checked 'allow inheritable permissions' on a domain user and waited 40 minutes, when I came back the check was removed.  My first thought was that user was part of a protected group but they're not...I think.  I added the permission to AdminSDHolder but that revokes permissions as well.

My main question is this, how do I find out if a user is part of a protected group?  RIM is no help at this point, even after being escalated twice.

Any help is greatly appreciated!
0
Ryat66
Asked:
Ryat66
  • 2
1 Solution
 
droydenCommented:
Protect groups are administrators/domain admins etc, if they are part of these groups they may have issues with BES and sendas..
0
 
Ryat66Author Commented:
I wasn't clear at first, my question is whether or not you can create a protected group or does a protected group just refer to the Windows defaults (domain admins, schema admins, etc.)?

I should also mention that the current BES uses the domain admin user as the service account.  According to the company president they've never had an issue with calendar sync or anything else.  Doesn't that seem odd?  According to RIM we should have had issues from day one.

Anyway, that suggests to me that the last person that setup BES went through the same issues I am and finally said <insert expletive> it, I'm going to use 'admin' as the BES service account and call it a day.
0
 
sachin5333Commented:
0
 
sachin5333Commented:
If you want to check for the User and the ssign group,

> Right click on Users AD account
> Go to "Members of"
> The list of group are visible in this pane.

> As a Bes user the user should not be a pert of power and administrative groups.

Also check with the policy, in some cases the policy reflect on the users and it will forcefully remove the special rights assign to users.

Create differant OU in AD and do not allow any policy on that OU.
Create Test user, assign all require rights check after 30 mins. If there are no changes then move BB users to that OU.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now