[SmoothRunnings]

Under Exchange 2007 SP1, does the BESAdmin user itself need to also have the "xxx8211;accessrights ExtendedRight xxx8211;extendedrights Send-As, Receive-As, ms-Exch-Store-Admin"?

Do the users in the Exchange organization who need to have the BESAdmin user added to their Security tab need the same rights added to the BESAdmin user?

I am looking carefully at the 'Get-MailboxServer | ' commands in the Exchange installation notes and notice that Microsoft has made a few changes to the commands after the "|" since Service Pack 1 for Exchange 2007 that could make it easier to getting BES installed in an Exchange 2007 SP1 environment.

Adding '-Identity "user name"' to the Add-ADPermissions command will add the "-User BESAdmin" and off the rights to the "user name", this could replace step 4 of the tutorial if it's possible to script the command to assing BESAdmin and its righes to the users currently in their Exchange organization.

Removing BESAdmin from the Add-ExchangeAdministrator command and adding '-Identity <mail_server_name>\BESAdmin' at the end of the command completely removes the need for having the "Get-MailboxServer' at all.. Not to mention that entire command listed in the tutorial doesn't work in Exchange 2007 SP1 under SBS 2008.

Andrew

[CarterTan]

In Active Directory, the BESAdmin needs to have the Send as permissions applied in the Domain Level or OU level where all the BlackBerry users are located.

As for Exchange permissions:
1. Send as
2. Receive as
3. Administer Information Store

This is required so that the BESAdmin account will send, receive and administer information store on behalf of all the BlackBerry users.

Exchange-View-Only administrator rights is required so that there will not be any limited MAPI connections for the BESAdmin account.

BTW, installing BES on SBS2008 is not supported at the moment for BES but installing BES in an 2008 AD environment is supported.

[aesajithmu]

If BESAdmin user has permission to read /send and recieve, does it mean using the BESAdmin - the admin could access /read mail of these mailboxes serviced by Blackberry ?
Or is there a way to secure with a two level authentication (say by using user's privledges) ???

[TargetIT]

Quote:

Originally Posted by aesajithmu

If BESAdmin user has permission to read /send and recieve, does it mean using the BESAdmin - the admin could access /read mail of these mailboxes serviced by Blackberry ?
Or is there a way to secure with a two level authentication (say by using user's privledges) ???

Yes, they can read all the email. You prevent that by getting the BES up and running and then not using the BESAdmin account any further, at least not interactively.

[stuwhite]

Quote:

Originally Posted by TargetIT

Yes, they can read all the email. You prevent that by getting the BES up and running and then not using the BESAdmin account any further, at least not interactively.

Absolutely. One thing you don't do is share your besadmin password . As TargetIT says, once up and running you shouldn't need it for any day to day stuff. Make sure your besadmin account doesn't have OWA access .

[knottyrope]

Quote:

Originally Posted by stuwhite

Absolutely. Make sure your besadmin account doesn't have OWA access .

Please clarify on why.

[stuwhite]

Wirelessly posted

Quote:

Originally Posted by knottyrope

Quote:

Please clarify on why.

Coz if you have the same idiotic setup I inherited, you can use owa and BESadmin login to read any mail straight off and send as if you try hard enough ;->

[TargetIT]

True, but that assumes you have the password for the account. If that is widely known, then you got other problems.

[stuwhite]

Quote:

Originally Posted by TargetIT

True, but that assumes you have the password for the account. If that is widely known, then you got other problems.

Agreed but I think it's not uncommon for a few admins to know the password. In these days of SOX we are forced to share this info at some levels, so we need to guard against anyone stumbling on the sheer power of the account.