[fltmstr]

I'm running BES 4.1 on a stand-alone box server2k3, and exchange 2003 on another server2k3 box.

Here are a couple of issues I'm having:
-Some users can receive e-mails just fine but cannot send e-mails, they get a red X with the error message "desktop e-mail program unable to submit message." I have triple-checked that my BES admin account has "send on behalf" permissions to these users mailboxes. I have around 25 users so far, and I've setup all the exact same. About 5 are having this problem, the rest work perfectly. I have googled this with the only answer being to make sure the BES admin account has the permission that I verified. It seems that some users report this right is sometimes stripped in Active Directory, but this is not my problem as it has not stripped the BES admin account's rights. I do not know where to begin!

-I found where to create IT policies on BES 4.1 but I need a little help with creating a particular policy if possible. I do not want anyone's "junk e-mail" folder on the exchange server to be on the blackberry. First, is this possible? I know that on each handheld you can set it not to show the junk e-mail folder, but I'd prefer to not have them there period taking up space. However, if that isn't possibly and hiding the folder in the handhelds is the only option, is there a policy that I can set to do this?

Please help... thanks in advance!

[fltmstr]

Sorry, I forgot to include, it's nothing with the handhelds... as some users having problems have the 8830, pearl, and nextel 7100.

[hdawg]

Welcome to BBF!

Quote:

-Some users can receive e-mails just fine but cannot send e-mails, they get a red X with the error message "desktop e-mail program unable to submit message." I have triple-checked that my BES admin account has "send on behalf" permissions to these users mailboxes. I have around 25 users so far, and I've setup all the exact same. About 5 are having this problem, the rest work perfectly. I have googled this with the only answer being to make sure the BES admin account has the permission that I verified. It seems that some users report this right is sometimes stripped in Active Directory, but this is not my problem as it has not stripped the BES admin account's rights. I do not know where to begin!

This is NOT the correct permissions. You need "Send As" I would suggest downloading the install guide and reading through it again.

Quote:

-I found where to create IT policies on BES 4.1 but I need a little help with creating a particular policy if possible. I do not want anyone's "junk e-mail" folder on the exchange server to be on the blackberry. First, is this possible? I know that on each handheld you can set it not to show the junk e-mail folder, but I'd prefer to not have them there period taking up space. However, if that isn't possibly and hiding the folder in the handhelds is the only option, is there a policy that I can set to do this?

By default this won't sync with the HH. If someone adds it, it will. You can't block people from syncing it if they want to.

[fltmstr]

Quote:

Originally Posted by hdawg

Welcome to BBF!



This is NOT the correct permissions. You need "Send As" I would suggest downloading the install guide and reading through it again.



By default this won't sync with the HH. If someone adds it, it will. You can't block people from syncing it if they want to.

Thanks for the welcome and your reply. I have looked at the permissions of a working mailbox vs one that doesn't work, and the permission under the "Exchange Advanced" tab are the exact same. My account "BES Admin" has full mailbox rights.

Here's a screenshot of what I did that populated the permissions (adding send on behalf of which I assume is the same as "send as", I cannot find any permission anywhere that says "send as"), and then a screenshot of the permissions. The second screenshot is of a mailbox that can receive emails but not send... as mentioned though, the permissions look the exact same on both working and non-working mailboxes.






Thanks again for your help.

[gibson_hg]

BESAdmin always has full mailbox rights, that's by default. This issue however is caused by a special permission, Send As. Essentially, BESAdmin needs to have this right explicitly set for all users.

Here is the RIM KB on setting it, there's even a video on fow to do it:

BlackBerry Search Results

Keep in mind these few things when seeting the permission:

1. Any user that DOES NOT have inheritance enabled will not get this permission when set at the Root and /or OU level

2. Any users in Protected Groups (Admins, Domain/Schema/Enterprise Admins, Print/Account/Server Operators, Cert Publishers) have inheritance disbaled and will lose this permission becuase of group membership

The above article has links to the Microsoft KB's for work arounds but the best method is have separate user accounts. So, you are an Admin, you should have an admin account and a regualr user account. That is how Microsoft wants it to be as well. You would then use the regular account for email/BB.

Hope that helps.

[hdawg]

Quote:

Originally Posted by gibson_hg

BESAdmin always has full mailbox rights, that's by default. This issue however is caused by a special permission, Send As. Essentially, BESAdmin needs to have this right explicitly set for all users.

Here is the RIM KB on setting it, there's even a video on fow to do it:

BlackBerry Search Results

Keep in mind these few things when seeting the permission:

1. Any user that DOES NOT have inheritance enabled will not get this permission when set at the Root and /or OU level

2. Any users in Protected Groups (Admins, Domain/Schema/Enterprise Admins, Print/Account/Server Operators, Cert Publishers) have inheritance disbaled and will lose this permission becuase of group membership

The above article has links to the Microsoft KB's for work arounds but the best method is have separate user accounts. So, you are an Admin, you should have an admin account and a regualr user account. That is how Microsoft wants it to be as well. You would then use the regular account for email/BB.

Hope that helps.

Thank you

[fltmstr]

Thanks guys... I think you may have found the problem, the 3 users didn't have inheritable permissions turned on... I'll go try that now.

[fltmstr]

Okay guys, I had 3 accounts that wouldn't work. 2 are working now. For future use, if anyone finds this thread with the same problem, right-click the User in Active Directory, select "Properties." Go to the "Security" tab, click "Advanced..." then put a check in the box that says "Allow inheritable permissions...", do an apply and you're done.

Now, just an fyi... this didn't fix the problem until the users cut off their blackberries and restarted their computers (completely disconnecting outlook.)

Now, I have 1 user that won't work, who is a domain administrator. I don't have my BB activated (I'm the last one to receive my #, glad to know I'm appreciated! ) I should have mine setup today/tomorrow so I can see if that's where the issue is. I remember at one point running across an issue where domain admins were having trouble with their mailboxes. If anyone knows the quick fix, i'm all ears.

[fltmstr]

Odd, if I go into the special permissions I see that admins are denied full mailbox rights... and even though BESAdmin is granted this right, I know that the deny property sits higher in the heirarchy.

Maybe I can turn inheritable permissions off on these users, and set the needed rights individually?




Since I wrote the first part of this post... inheritable permissions were stripped from the account that's an admin. I'm thinking Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003 has the solution... quite a big mess to read though =]

[hdawg]

That is what you need to read through.

Search for AdminSDHolder too ... Domain Administrator accounts should not have BlackBerry devices ... they are administration accounts ... not user accounts. Follow the principle of least privilege; it keeps me out of trouble.

[fltmstr]

Quote:

Originally Posted by hdawg

That is what you need to read through.

Search for AdminSDHolder too ... Domain Administrator accounts should not have BlackBerry devices ... they are administration accounts ... not user accounts. Follow the principle of least privilege; it keeps me out of trouble.

That's what I'm thinking of doing... just bump the admin accounts down, and use the "generic" admin accounts that I have setup for all administration tasks. Remote desktop is my best friend.