Related documentation for AdminSDHolder Protected Account:
Changed in your Environment for AdminSDHolder account is not support by BlackBerry.
The below documentation is only informational.
Livelink - Redirection
Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003
Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003
Protected Groups:
The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server
Delegated permissions are not available and inheritance is automatically disabled
Delegated permissions are not available and inheritance is automatically disabled
Description and Update of the Active Directory AdminSDHolder Object
Description and Update of the Active Directory AdminSDHolder Object
"Send on behalf" permission is not assigned to a user after you delegate access in Outlook
"Send on behalf" permission is not assigned to a user after you delegate access in Outlook
MS06-019: Vulnerability in Microsoft Exchange Server could allow remote code execution
MS06-019: Vulnerability in Microsoft Exchange Server could allow remote code execution
MS06-029: Vulnerability in Microsoft Exchange Server could allow script injection when Exchange Server runs Outlook Web Access
MS06-029: Vulnerability in Microsoft Exchange Server could allow script injection when Exchange Server runs Outlook Web Access
Versions Affected:
Exchange Server 2003 Service Pack 1 using store build 7233.51 or later
Exchange Server 2003 Service Pack 2 using store build 7650.23 or later
Exchange Server 2000 Service Pack 3 using store build 6619.4 or later
To grant Send As for a single account on all user accounts in an Active Directory domain or container, follow these steps:
1. Start the Active Directory Users and Computers management console.
2. On the View menu, make sure that the Advanced Features option is selected. If this option is not selected, the Security page will not be visible for domain and container objects.
3. Open the properties of the domain or container, and then click the Security page.
4. Click the Advanced button.
5. If the account that needs permission is not already listed, click Add, and then select the account. Otherwise double-click the account for editing.
6. In the Applies Onto list, click User Objects.
7. Grant the account Send As permission.
8. Click OK until you have exited and saved all changes.
Note Microsoft recommends that you do not use accounts that are members of protected groups for e-mail purposes. If you require the rights that are afforded to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group and one user account that is used for e-mail purposes and at all other times.
Enable inheritance on the AdminSDHolder container
Here is a link to more info on AdminSDHolder protected groups:
The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server
If you enable inheritance on the adminSDHolder container, all members of the protected groups have inherited permissions enabled. In terms of security functionality, this method reverts the behavior of the AdminSDHolder container back to the pre-Service Pack 4 functionality.
You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=AdminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>
Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.
To enable inheritance on the adminSDHolder container:
1. Right-click the container, and then click Properties.
2. Click the Security tab.
3. Click Advanced.
4. Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
5. Click OK, and then click Close.
The next time the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).
ADSIEdit.msc
Microsoft Corporation
If you change the rights or the permissions on the adminSDHolder object for a protected account, a background task will undo the change within several minutes. For example, if you grant the Send As permission on a domain administrator object for an application service account, the background task will automatically revoke the permission.
Note You can control the frequency at which the AdminSDHolder object updates security descriptors by modifying the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NTDS\Parameters\AdminSDProtectFrequency
The default value for the AdminSDProtectFrequency registry entry is 60 minutes. Valid values range from 1 to 120 minutes. You can modify this value if you want to control the frequency for testing purposes.
Therefore, you cannot grant the Send As permission to an application service account for an account that is protected by the adminSDHolder object unless you change the adminSDHolder object itself. If you do change the adminSDHolder object, this will change the access permissions for all protected accounts. You should only change the adminSDHolder object after a complete review of the security implications that may occur with the change.