[Deftonesman]

So after reading all this post..it appears the permission tool is crap!

I am lucky i only have 8 users, I guess after the uddate, I will just do each individually and reset the send as permission.

[jkbusinessedge]

ok, instead of the tool I just manually did it to the domain. Everyone is sending with no problems except me. My permissions are exactly he same as theirs, only difference is I am one of the Exchange admins. Why am I still getting the unable to send error? I then tried to run the tool and it says

[20000] (09:44:31.825):{0x0FC8} SMTP address: ****@********.com
[20000] (09:44:32.035):{0x0FC8} FAIL
[10000] (09:44:32.035):{0x0FC8} SetSendAsPermission(): Unable to update the NTSe
curityDescriptor

[Deftonesman]

JK, when you did it manually to everyone, what was were steps? Did you just follow the MS document 912918?

[jkbusinessedge]

well, the service account that accesses the mailboxes for bberry was totally gone. I just readded the account, with the send as permissions set. Again it worked for everyone but me. I really do not want to call RIM, there is enough to do already

[rpfeffer]

Quote:

Originally Posted by jkbusinessedge

ok, instead of the tool I just manually did it to the domain. Everyone is sending with no problems except me. My permissions are exactly he same as theirs, only difference is I am one of the Exchange admins. Why am I still getting the unable to send error? I then tried to run the tool and it says

[20000] (09:44:31.825):{0x0FC8} SMTP address: ****@********.com
[20000] (09:44:32.035):{0x0FC8} FAIL
[10000] (09:44:32.035):{0x0FC8} SetSendAsPermission(): Unable to update the NTSe
curityDescriptor

Don't use quotes around the email address.

[jkbusinessedge]

no quotes used

[DarienA]

jk when I was having trouble getting the rights to stick to the domain admins here I followed THIS(link attached recommendation and it worked for me:

Quote:

2 of our system guys drove themselves nuts yesterday trying to get the Send As to work for the Protected Accounts.

What worked today for me was this cmd (stated in an earlier post) run on my PDC Emulator:

dsacls "cn=AdminSDHolder,cn=System,dc=domain,dc=com" /G "domain.com\BlackBerrySA:CA;Send As"

For the most part, configuring the permissions directly on the AdminSDHolder object in the System container to allow BESAdmin Send As for protected groups isn't working for many folks (us included). I think the DSACLS works because it sets permissions that aren't revealed in the GUI Security tab.

For the record and, as a matter of principle, I tried the direct route on the AdminSDHolder object and waited 3 hrs. Thanks for playing buddy but no SOAP.

I ran DSACLS and 2 hrs later I could send mail. I didn't know about the system attendant restart until now or it likely would have been faster.

Bottom line, most of the DST stuff is pretty straight up including the Send As bit if you can wade through the mountains of doc and instructions and cut to the bits that work. We're about done save for the calendar update tool and a few BB devices then we can put it to bed. It's a hassle and a distraction and I for one can't wait to move on.

I'm not sure if this applies to your environment or not.

[jkbusinessedge]

here is what we have found;

Alternatively, we recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.

[DarienA]

Quote:

Originally Posted by jkbusinessedge

here is what we have found;

Alternatively, we recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.

Yeah we've had that talk in various threads, in terms of security what they say is correct.

For my organization however we are small enough that I didn't have an issue just running the dsacls command, however depending on the size of your org, and the folks involves security might be an issue.

You'll have to figure that one out.

[mattk0]

Could someone help clear the cobwebs for me? I'm a little confused. I thought only the besadmin account needed the send as permission, or is every user that needs the permission? Because I've been activating blackberries for a year and never have added the 'send as' permission to any account except when I set up the BES.

Also, when you put an e-mail address for the -u, which address are you putting in? Thanks in advance for any help!

[Gabe Authier]

First off, I want to thank everyone for their input on this thread. It was comforting to know I wasn't the only on pulling my hair out with the "Send As" issue.

I was having the "protected account" issue. All of my other users where sending email fine from there BB's but I was not because I was part of several MS administrative groups. I would set the BES account to have Send As permissions in my User Account Security Tab. Then once replication occurred. I would go back into my user settings and the BES account would no longer be in my user account security settings--long story short because I was part of these "protected groups"--AD was ripping that custom set of permissions out of my user account...

What I ended up having to do to solve the problem was use the Dsacls.exe tool that is located in the MS Support Tools folder on my PDC.

Use the Dsacls.exe tool (MS AD tool) from the command line to resolve the problem as mentioned in MS KB Article 907434.

Once I did this and waited a couple hours I was finally able to send emails from my BB again.

Glad that is over...

[Davidland]

i have been searching for the Dsacls.exe file and can't locate it, unfotunatly i don;t have the disk. Can anyone help with this

Thanks

[citizen782]

dsacls "cn=AdminSDHolder,cn=System,dc=domain,dc=com" /G "domain.com\BlackBerrySA:CA;Send As"

From the Exchange 2003 support toolkit

This is the only option that worked for us to retain the permissions on the protected accounts. It did require that I set the "allow inheiritable permissions from parent" in the advanced securities option for the AdminSDHolder unit. This is because dsacls is applying the permissions through dc=domain,dc=com down.

Then restart the Exchange System Attendant. Allow about 5 mins. for propagation. So far, it hasn't reverted back through a couple of AD polling intervals.