Yeah, I used to have another blog... I had started including geeky things for people to enjoy randomly. Not sure who enjoys random geeky stuff, but here's one to grow on...
So, you run a BlackBerry Enterprise Server in your organization, and you also run Microsoft Exchange Server 2003. These machines are both part of your Windows 2003 Active Directory Domain. Now, you patch your Exchange server with all the latest, greatest patches from Microsoft, then all of the sudden, your users cannot SEND from their Blackberry devices. If you know anything about Blackberry users, they tend to get quickly upset when something doesn't go their way. So, when they can't send, if you're the network admin, which I am, you're in trouble!!
The long and short of it is this: Microsoft added new security to prevent users from "Sending As" another user. This is already in place by default, but they took extra precautions in recent updates to make this feature harder to work around.
So, then, how can you work around it??? ;-) 2 things to do:
1. For non-administrative users... open Active Directory users and computers... Choose View > Advanced Options to enabled advanced features. Find each user in AD and open them up, Choose the Security tab, add BESAdmin to their ACL and make sure to give that user Send As permissions. BESAdmin account doesn't need full control, just stuff like Send As, Receive As, etc. In a matter of an hour or two, your users should be able to send email from their BlackBerry mobile devices again.
2. For domain admin accounts, you need to open up the System OU, then the AdminSDHolder OU... In the properties dialog for the AdminSDHolder OU, select the Security tab, then click advanced and check the Allow Inheritance option... Domain Admins should be good to go within 20 minutes to 2 hours, or so. This is described by Microsoft here:
Method 2: Enable inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, all members of the protected groups have inherited permissions enabled. In terms of security functionality, this method reverts the behavior of the adminSDHolder container back to the pre-Service Pack 4 functionality.
Enabling inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, one of the two protective access control list (ACL) mechanisms is disabled. The default permissions are applied. However, all members of protected groups inherit permissions from the organizational unit and any parent organizational units if inheritance is enabled at the organizational unit level.
To provide inheritance protection for administrative users, move all administrative users (and other users who require inheritance protection) to their own organizational unit. At the organizational unit level, remove inheritance and then set the permissions to match the current ACLs on the adminSDHolder container. Because the permissions on the adminSDHolder container may vary (for example, Microsoft Exchange Server adds some permissions or the permissions may have been modified), review a member of a protected group for the current permissions on the adminSDHolder container. Be aware that the user interface (UI) does not display all permissions on the adminSDHolder container. Use DSacls to view all permissions on the adminSDHolder container.
You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>
Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.
To enable inheritance on the adminSDHolder container: 1. Right-click the container, and then click Properties.
2. Click the Security tab.
3. Click Advanced.
4. Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
5. Click OK, and then click Close.
The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).