Problem with BES
 

Hi all:

I'ma newbie BES 4.1.2 admin with 15 handsets to manage. In setting policies for the BES, I think I messed up the "Default Policy" to the point where my users can receive their mail, calendar, etc., but they can't send or reply to email.

When users try to send, the message "Desktop Email program unable to submit message." I've searched on RIM's site as well as this forum for answers, and tried all the soloutions mentioned, but nothing seems to work. I've created blank IT policies, and pushed them to the handset, but I still can't send or reply to email on the handsets.

I've also downloaded and used jibi's "Default BES IT Policy" Excel spreadsheet to compare my blank policy settings to RIM's default.

I think I must've interfered with a setting outside of the policy, but has a global impact on the BES. I can't figure out what it is!

Right now, I'm considering a total BES reinstall, but I want to ensure that I've reached the end of the line and this is my only way out.

Can anyone provide any help?
Can anyone tell me how to create a proper blank, default IT policy? Or even tell me where to get one?
Can anyone tell me what setting I may've changed that has such global effect on the server?


Thanks for all the help

This is likely to be permissions based more than anything. Take a look at this KB:

Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003

I think I checked this also... I just double checked again, and all seems to be correct and proper.

The only thing I haven't done is apply the "hotfix" mentioned in "Task 3" of the document (running BES for Exch2k3 SP1 btw). I didn't think it would have to go that far! You actually have to get that from M$ft themselves... its not publicly available.

Any other suggestions?

I have not come accross anyone who needed to apply that hotfix, though I would assume someone somewhere on here has had to.

Is there anything going on in Event viewer? Throw us some Event ID's.

Error logs
 

Here are the logs that I see in the App Event Log on the BES when I try to craft a new mesg:


Event Type: Warning
Event Source: BlackBerry Messaging Agent XBES Agent 1
Event Category: None
Event ID: 20265
Date: 1/24/2007
Time: 11:18:36 AM
User: N/A
Computer: XBES
Description:
{john.doe@123ABC.com} MAPIMailbox::Send(ppMAPIMessage) - SubmitMessage (0x80070005) failed

************************************************** ************************************

Event Type: Warning
Event Source: BlackBerry Messaging Agent XBES Agent 1
Event Category: None
Event ID: 20000
Date: 1/24/2007
Time: 11:18:38 AM
User: N/A
Computer: XBES
Description:
{john.doe@123ABC.com} Send() failed: ERR_SUBMIT_MAIL, Tag=13888



I can actually use the handset to search the Address book and everything! All seems to work except email replying and composing.

Let me know if you need anything else from another set of logs.

Thank you so much for you help!

But you did make sure there wasn't a problem with the BES account having Send As permission within exchange?

I'm convinced it's a problem with the Send As permission.

From what I'm seeing here, when I checked the error message, it points to a permissions issue.

But when I look at the perms in Exchange, it has "Send As", "Recieve As" both ticked under "Allowed".

Its puzzling. I'll attach a sanitized screenshot to validate what I'm saying. Hold on a bit.

Thanks...

Screenshots of Exchange Perms...
 

Here's the security perms for the server and mailbox store, highlighting the perms for the BESAdmin acct.

Local perms on BES Machine...
 

...for BESAdmin user.

I would look in active directory and check that user in particular (although you said it was a bunch of them). Check the permissions of their own user account. Exchange advanced tab - mailbox rights. You won't see send as there, but the special permissions will show. You have to get into it more to see the specific perms.

After that, I would personally just connec tthem through enterprise activation again.

I had a user come to me the other day who couldn't send or reply. I am not sure how they broke their connection (it was like they erased a service book). I figured it was easier to activate her account again. Because there wasn't much extra to synch (she was receiving messages and synching all other items), it just took a few minutes and everything was fixed.

Good Luck,
Dave

Thanks Dave. I'll give it a look-see and report back on what I find.

Odd...
 

I go to "AD Users & Computers". Then "View-> Advanced Features".

I select one of the problem users. Go to their "Security" tab. I notice that my BESAdmin account is nowhere on the Security tab. Then I click on the "Advanced" button to view the "special permissions" attached to the account.

Another window opens that show the "special perms" and "advanced settings". The last tab in this window lists the "Effective Permissions". This lists "the perms that would be granted to a selected user/group based solely on the permissions granted directly through group membership."

I select the "BESAdmin" account to see what perms the BESAdmin has over the problem user account.

Scrolling down through the list, I see that the "Send As" and "Receive As" items are not ticked! Yet, they've been granted that access via Exchange perms! <<See Attached Picture>>.

Can someone check their Exchange2k3 server to see if they see something similar? I'm wondering if this "Effective Permissions" lists both Exch2k3 and Win2k3 AD perms... perhaps its just the AD perms. This will make more sense then...

Can someone check their Exchange2k3 server to see if they see something similar?

Still looking, but in the section you looked, I show the same info you do.

Earlier, I was writing about checking under the mailbox rights (you need the exchange console loaded onto the machine to which you are looking to see this info in users and computers). Even there, it does give full permissions to the mailbox (did not say specifically send as ).

Okaaay, but...
 

Dave,

I used the "AD Users & Computers" on the Exch2k3 box when looking at the perms, and for the screenshot.

When I checked "AD U&C" again, my BESAdmin account does not have "Full Control" perms over the problem account. These are AD perms I'm talking about here, not Exchange perms.

When I check the Exchange mailbox rights, I see the "Full Control" you're talking about. <<See Attachment Picture>>>. I checked those by going to the "Exchange Advanced" tab for the user and then clicking the "Mailbox Rights..." button.

If you have the same thing I have, and your deploy is working; but mines isn't... then something else must be the cause!!!

Thanks for your help thus far...

Mine is the same.

You have rebooted the BES lately right?

I would take someone who is connected and reactivate their account (do the enterprise activation again).

I've rebooted it several times since I saw the issue. Have yet to reactivate someone... that's what I'll try next.

The permissions should show up in AD for that particular user (you mentioned that they were not ticked in AD). If you have other users who have inherited this permission, but not some users, most likely those user accounts belong to some protected group, in which case AD will revoke the send as permission.

The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server

This is a Catch-22!
 

The article you mention states that:

"Additionally, user accounts or groups that have been delegated the following roles in Exchange are considered protected:
• Exchange View Only Administrator
• Exchange Administrator
• Exchange Full Administrator"

and that protected groups have the "Send As" right removed as part of usual operations.

But the BESAdmin acct has to have "Exchange View Only Administrator" rights for the whole BB system to work. If its granted to right, the OS should remove it periodically... which isn't what happens to most ppl!

Something else is my issue besides the perms. I need help infinding out what that is....

Solved the problem. "Permissions" was the issue, but not in the way I expected it!
 

Now I'm as happy as 10,000 larks!

I took my search for an answer to Google Groups, where I found this gem of a solution.

Summarized it here:

To associate a mailbox with an account that is protected by the
adminSDHolder object, follow these steps:

1. Start the Active Directory Users and Computers management console.
2. On the View menu, make sure that the Advanced Features option is
selected. If this option is not selected, the Security page will not
be visible for User account objects.
3. Create an ordinary user account to act as the mailbox owner.
4. Assign the ordinary user account a mailbox on an Exchange server.
5. Open the properties of the new mailbox owner account.
6. In the Exchange Advanced box, grant the Full Mailbox Access
permission to the protected administrator account.
7. In the Security page, grant the Send As permission to the protected
administrator account.
8. Click OK to exit the properties of the mailbox owner object.
9. Right-click the mailbox owner account object, and then click
Disable Account to disable the account for all logons.


In other words, I had to go to the individual users in "AD U & C", add the BESAdmin account to the Security tab, and grant them the "Send As" and "Receive As" permissions.

I then replicated my AD to push the changes thru my domain controllers, and I rebooted my BES for good measure.

Since it came up (about an hour ago) I've been able to send/reply to email from the handset.

Thanks to all who've helped me along the way... MUCH Appreciated!