[chrislehr]

So, I have often wondered this, and never had it be a "problem" until now.

In the BES 5.x instructions, there is this step:
Type Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -
User "BESAdmin" -Identity "CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3 >"


Now, these instruction work, as long as you have all your users in the "Users" CN. At my employer, this needed to be replaced with OU=Employees instead, because that is where all the users are.

Now, I have a customer who has about 35 OU's off their root. Now, I can audit, and specifically set this permission at each OU.. I can also script and loop through the root OU's applying this permission..

However, if the customer add's another Root OU, they would need to re-run this permission. That's acceptable to some customers, but not all.

And if you try to run the above and apply to just DC=domain,DC=com, it errors out in a pretty non-descriptive manner.

Any feedback welcome.
Chris

[Wiseman13]

The easiest fix, from the outside looking in, would be to create a OU at the root called something like "Employees" and put all the other root OUs under that Employee OU, this makes things cleaner overall I would think, and solves your issue as you only need to run the permissions for the Employees OU.

Just a thought, not really a "fix"

[chrislehr]

Quote:

Originally Posted by Wiseman13

The easiest fix, from the outside looking in, would be to create a OU at the root called something like "Employees" and put all the other root OUs under that Employee OU, this makes things cleaner overall I would think, and solves your issue as you only need to run the permissions for the Employees OU.

Just a thought, not really a "fix"

Yea, I thought of offering that as well, but instead I just issued the command 40 times, and told the customer they would need to add the line for any new OU's as well. Wish this could be applied at the domain level.