BlackBerry Forums Support Community
              

Closed Thread
 
Thread Tools
Old 08-11-2009, 09:24 AM   #1
gloowee
New Member
 
Join Date: Aug 2009
Model: 7100t
PIN: N/A
Carrier: mts
Posts: 14
Default Bes On A Standalone Server

Please Login to Remove!

Hi friends. Newbie to BES here.

I've setup BES 5.0 for Exchange 2007. I have experienced some issues that I'll work out with the help & suggestions in the other threads.

My question today is has anyone tried setting BES 5.0 up on a standalone server? Meaning, does the machine have to be a member of the domain? If so, what did you discover? Does it work?

The reason I ask this is because the BESAdmin account is running as a service and is also a domain admin. Since all domain computers trust the BES server because it's part of the domain, if someone got control of the BESAdmin account then that'd be game over.
Offline  
Old 08-11-2009, 09:31 AM   #2
skyman84
CrackBerry Addict
 
skyman84's Avatar
 
Join Date: Sep 2008
Location: London, UK
Model: 9900
OS: 7.1
PIN: ask!
Carrier: O2 UK
Posts: 932
Default

Then why make the besadmin account a domain admin account?
__________________
Simon
http://www.twitter.com/simonjhardy
Offline  
Old 08-11-2009, 09:36 AM   #3
penguin3107
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Default

Quote:
Originally Posted by gloowee View Post
the BESAdmin account is running as a service and is also a domain admin.
Why would you do this?
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 08-11-2009, 09:46 AM   #4
gloowee
New Member
 
Join Date: Aug 2009
Model: 7100t
PIN: N/A
Carrier: mts
Posts: 14
Default

I'm pretty sure the setup tutorial said to put the besadmin account in the group "administrators" at the domain level.
Offline  
Old 08-11-2009, 09:48 AM   #5
skyman84
CrackBerry Addict
 
skyman84's Avatar
 
Join Date: Sep 2008
Location: London, UK
Model: 9900
OS: 7.1
PIN: ask!
Carrier: O2 UK
Posts: 932
Default

No no, the BESAdmin account needs to be a local admin on the BES server it's self only, not the domain.

It does need access to the mailfiles of the mail system your using, but as far as AD admin rights go, only local admin access to the server is sits on, and the ability to run as a service.
__________________
Simon
http://www.twitter.com/simonjhardy
Offline  
Old 08-11-2009, 09:48 AM   #6
penguin3107
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Default

Quote:
Originally Posted by gloowee View Post
I'm pretty sure the setup tutorial said to put the besadmin account in the group "administrators" at the domain level.
No, it doesn't. The BES Service Account shouldn't be a Domain Admin.
It should be a local admin on the BES.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 08-11-2009, 10:03 AM   #7
CanuckBB
BlackBerry Extraordinaire
 
CanuckBB's Avatar
 
Join Date: Feb 2006
Location: YYZ
Model: 9900
Carrier: Rogers
Posts: 1,183
Default

Quote:
Originally Posted by gloowee View Post
The reason I ask this is because the BESAdmin account is running as a service and is also a domain admin. Since all domain computers trust the BES server because it's part of the domain, if someone got control of the BESAdmin account then that'd be game over.
As other have said BESAdmin needs to be local admin.

And how is BESAdmin any different than 'Administrator'? The chances of somebody getting access to BESAdmin are no greater than Administrator.
Offline  
Old 08-11-2009, 10:26 AM   #8
usererror
Thumbs Must Hurt
 
Join Date: Jul 2007
Location: Petoskey, MI
Model: 8530
OS: Win 7
PIN: N/A
Carrier: Verizon Droid
Posts: 95
Default

I thought the besadmin account also had to be a member of the domain in order for it to do the "Send As" abilities on each user's account.
Offline  
Old 08-11-2009, 10:29 AM   #9
skyman84
CrackBerry Addict
 
skyman84's Avatar
 
Join Date: Sep 2008
Location: London, UK
Model: 9900
OS: 7.1
PIN: ask!
Carrier: O2 UK
Posts: 932
Default

Wirelessly posted (Bold 9000)

The besadmin account must be a domain account, and have the sendas permissions, but it does not need to be added to the domain admin group. Just make sure its added locally to the admin group on the server.
__________________
Simon
http://www.twitter.com/simonjhardy
Offline  
Old 08-11-2009, 10:31 AM   #10
gloowee
New Member
 
Join Date: Aug 2009
Model: 7100t
PIN: N/A
Carrier: mts
Posts: 14
Default

Check out module #2.

blackberry. com/ select/ toolkit/ 02.shtml#

Should the besadmin account also be a local admin on the Exchange server in order to get access to other peoples mailbox?
Offline  
Old 08-11-2009, 10:58 AM   #11
penguin3107
BlackBerry God
 
penguin3107's Avatar
 
Join Date: Jan 2005
Model: iOS 5
Carrier: VZW
Posts: 11,701
Default

Quote:
Originally Posted by gloowee View Post
Check out module #2.

blackberry. com/ select/ toolkit/ 02.shtml#

Should the besadmin account also be a local admin on the Exchange server in order to get access to other peoples mailbox?
You seem to be really confused about permissions assigned to the BES service account.
This should clear things up for you:
KB02276 - Assigning permissions for a BlackBerry Enterprise Server service account - Port3101.org : Your BES Connection

Follow that KB article and you should be fine.
__________________
BCSA
BES 5.0.3 MR4 :-: Exchange 2007 SP3 RU3
http://port3101.org
Offline  
Old 08-11-2009, 11:02 AM   #12
MarshBklyn
Thumbs Must Hurt
 
Join Date: Aug 2009
Model: 9000
PIN: N/A
Carrier: crApT&T
Posts: 63
Default

Quote:
Originally Posted by gloowee View Post
Should the besadmin account also be a local admin on the Exchange server in order to get access to other peoples mailbox?
No. Only Exchange View Administrator within exchange. Also, send, receive, and administer store permissions as well.
Offline  
Old 08-11-2009, 11:32 AM   #13
gloowee
New Member
 
Join Date: Aug 2009
Model: 7100t
PIN: N/A
Carrier: mts
Posts: 14
Default

Thank you. I followed your instructions to the letter and all was good. Still having issues that I'll search the forums for help on.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


1PC NEW Norgren 2623077 Solenoid Valve picture

1PC NEW Norgren 2623077 Solenoid Valve

$170.00



Command Access VLPKIT36 Solenoid Electrified Panic Kit Door Latch Pullback Kit picture

Command Access VLPKIT36 Solenoid Electrified Panic Kit Door Latch Pullback Kit

$199.99



DYNAQUIP CONTROLS - PHH25ATDA052A Ball Valve 1 In FNPT Double Acting picture

DYNAQUIP CONTROLS - PHH25ATDA052A Ball Valve 1 In FNPT Double Acting

$225.00



Asco-  HC8210G001 Solenoid Valve 125v-dc 3/8in Npt picture

Asco- HC8210G001 Solenoid Valve 125v-dc 3/8in Npt

$65.00



052600-1000 052600-1001 15471-60010 Fuel Shutoff Solenoid Compatible With Kubota picture

052600-1000 052600-1001 15471-60010 Fuel Shutoff Solenoid Compatible With Kubota

$32.99



3/4

3/4" Brass Electric Solenoid Valve 110V 120V Volt AC Water Air Gas VITON NC B21

$36.20







Copyright © 2004-2016 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.