[ohfara]

Set Send as permissions (Please Sticky this)

It’s not hard; I don’t see why people are freaking out about it. Yes it is a huge pain in the ass but isn’t using Microsoft products in definition a huge pain in the ass?



There are 3 places you can set the send as permissions:

The domain level

Organizational Unit level (OU)

User level


Where you decided to set it is up to you but setting at the domain level allows any new user added to active directory no matter where they are place to inherit the send as permission. This is assuming that inheritance is turned on for the user

1:
Open up Active directory users and computers as a user who has permissions (IE a domain admin)

2:
Go to the View menu and select “advanced features“

3:
Decide where you want to set the permission (Domain, OU, User). The procedure is pretty much the same no matter where




Domain level:
Right click on your domain and select properties

Go to the security tab and select the advanced button at the bottom

On the advanced security options select “Add”

Enter in the name of your service account (Besadmin, blackberryadmin, whatever). You do have a service account right?

Use the “Apply onto” drop down and select “user objects”

In the list of permissions below select allow “send as”

DO NOT CHECK “Apply these permissions to object and/or containers within this container only”

Press Ok and keep pressing Ok till you are out of the menus

Wait for replication for your users to inherit the permission

Stop the BlackBerry Router service for 20 minutes to expire the permissions




Organization Unit level:
Right click on your OU and select properties

Go to the security tab and select the advanced button at the bottom

On the advanced security options select “Add”

Enter in the name of your service account (Besadmin, blackberryadmin, whatever) You do have a service account right?

Use the “Apply onto” drop down and select “user objects”

In the list of permissions below select allow “send as”

DO NOT CHECK “Apply these permissions to object and/or containers within this container only”

Press Ok and keep pressing Ok till you are out of the menus

Wait for replication for your users to inherit the permission

Stop the BlackBerry Router service for 20 minutes to expire the permissions





User level:
Right click on your user and select properties

Go to the security tab and select the advanced button at the bottom

On the advanced security options select “Add”

Enter in the name of your service account (Besadmin, blackberryadmin, whatever) You do have a service account right?

Use the “Apply onto” drop down and select “user objects”

In the list of permissions below select allow “send as”

DO NOT CHECK “Apply these permissions to object and/or containers within this container only”

Press Ok and keep pressing Ok till you are out of the menus

Stop the BlackBerry Router service for 20 minutes to expire the permissions





You do not have to set it at all three levels just one will do. Take note if you set it at the Domain or OU level your users must have inheritance turned on to inherit the permission. If it is not (which seems to happen sometimes with some users for no real reason)

Now a word about protected accounts, domain admins, backup operators, print operators, and about 10 other protected accounts have an inherited deny on the send as permissions since the patch last July (which is also included in the DST patches from Microsoft). Microsoft themselves recommend that protected accounts not to have a mailbox associated with them. They recommend that you have two accounts. An account for your protect account tasks (domain admin) and one for daily mailbox stuff.

There are scripts and workarounds from Microsoft that can restore the send as to the protected accounts but that’s another story.

Hope this helps anyone who got caught by this

[dcpuser]

*bump*

I'm going to apply Sp2 for Exchange today and came across this. Not sure why this wasn't stickied. This seems to be important.

[Drifter]

How do I get around the protected accounts restriction? All of my users can send email through their blackberries but the admins cant because we are members of the administrators and domain admins groups.

Thanks

[jchiarchiaro]

ADMINSDHOLDER...

dsacls "cn=AdminSDHolder,cn=System,dc=domain,dc=com" /G "domain.com\BESAdmin:CA;Send As"

Google for adminsdholder and BES to find a lot of info on this.

Worked for us back when we were hit.

Another solution is to strip Domain Admin from the user accounts...

[Drifter]

Quote:

Originally Posted by jchiarchiaro

ADMINSDHOLDER...

dsacls "cn=AdminSDHolder,cn=System,dc=domain,dc=com" /G "domain.com\BESAdmin:CA;Send As"

Google for adminsdholder and BES to find a lot of info on this.

Worked for us back when we were hit.

Another solution is to strip Domain Admin from the user accounts...

Thanks i'll try that now.

[Drifter]

I made the necessary changes to the script and tried it, but i got "The command failed to complete successfully."

[Drifter]

Never mind I got it working. I had to add the following:

Dsacls "cn=adminsdholder,cn=system,dc=corp,dc=domain,dc=com" /G "domain\besadmin:CA;Send As"

Thanks for your help.