[bberrelez]

I think I did something wrong in my setup. In a nutshell everything was working fine last night, life was good. Not now. I am unable to send email from my blackberry service account. So my blackberry user cannot send email from her cell phone again. I looked in my event viewer and I see a warning and it resembles how the send as settings are being revoked. Last night I added my blackberry service account as 'send as' under the security tab for our domain. The rights carried down and I was able to send mail from the Blackberry account as another user. The blackberry user was able to send email from her phone.

Today, it doesn't work....What happended? I rebooted the server and nothing has changed.

[gibson_hg]

What groups is your BESAdmin apart of? Sounds like your rights are being revoked, more than likely due to group membership. Admin groups are no no, review the article from RIM about Send As and the ones from Microsoft as well.

[Sith_Apprentice]

welcome to the forums by the way.

[bberrelez]

Thank you Sith Apprentice.

What groups is your BESAdmin apart of?
- He is just in domain users

Sounds like your rights are being revoked, more than likely due to group membership.
- If so, how come the blackberry user was able to send last night?

Admin groups are no no, review the article from RIM about Send As and the ones from Microsoft as well.
- The blackberry user and the blackberry service account are not in the Admin group.

[ashworth]

If you check the permissions on the users themselfs do you see the send as permissoin? If you done then I would follow the video i created to set the send as permissions.

Send As Permission - BESAdmin.ca

[Keyscan]

Quote:

Originally Posted by ashworth

If you check the permissions on the users themselfs do you see the send as permissoin? If you done then I would follow the video i created to set the send as permissions.

Send As Permission - BESAdmin.ca

Is your site down right now?

EDIT: nevermind, I can access the site again.

[bberrelez]

I tried running that dsacls command and it won't run, says that my domain can't be contacted.

dsacls "cn=adminsdholder,cn=system,dc=lsi.local,dc=co m" /G "LSI.local\SELF:CA;Send As"

i even tried this one

dsacls "cn=adminsdholder,cn=system,dc=lsi.local,dc=co m" /G "SELF:CA;Send As"

I have never ran this command before so I'm sure I'm doing something run.

EDIT : Well I feel dumb.

dsacls "cn=adminsdholder,cn=system,dc=lsi,dc=local" /G "SELF:CA;Send As"

It ran successfully. I'm going to wait an hour and continue the process.

Thanks for the advice.

[bberrelez]

So far so good. That appears to have fixed it. Guess I will know for sure later. So this should keep the rights to this service account correct?

EDIT: Nevermind, it stopped working again. I tried sending email from the BES service account and It will not allow me too. I don't know what is going on, it it the BES that is causing this problem? Somehow my permissions are getting revoked again.

[Malkier]

Are your users members of any protected groups or are power users?

[bberrelez]

Here is a list of groups that the blackberry user is a member of:

Account Operators
Domain Users
Mobile Users
Print Operators
Remote Desktop Users
Remote Operators
Remote Web Workplace Users
Sales
SlxAdmin (This group is not a member of any Administration group)
SlxPublic
Terminal Server Computers

The user at one point was a member of Admin but I removed her. The Blackberry service account is just a member of Domain users and that's all.

EDIT: Just found out Sales group is a member of Administrators - Built-in

I believe they need to be a member of this group, so I guess that explains why the permissions are being revoked. Should I tell her she has to be removed from this group?

[Malkier]

Account Operators and Print operators are also protected groups, this will also revoke the Send As permission.
There is another work around if you are comfortable doing it.

Dont quote me on any of this, but I do know that it works, you will still need to set the Send As right for Besadmin on the User objects, but this will stop users of protected groups from having it revoked.

If you enable inheritance on the adminSDHolder container, all members of the protected groups have inherited permissions enabled. In terms of security functionality, this method reverts the behavior of the adminSDHolder container back to the pre-Service Pack functionality.


NOTE: If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container:

1. Right-click the container, and then click Properties.
2. Click the Security tab.
3. Click Advanced.
4. Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
5. Click OK, and then click Close.

The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).

[bberrelez]

I will give that a try and post my results in an hour or so.

Thanks for the tip.

[bberrelez]

Ok, I checked it and so far so good. It works for now. I will check again in about an hour.

[kapasaca]

if that help didn't work for you, just put the right on the employee itself.
not on the domain or OU, just that employee.

it doesn't sound like a rights issue, it is, you just have some template in your AD that revokes the rights everytime.

[Phoenix887]

TRY this

Give Permissions through the DC.

1. Open MMC console, add ADSI Edit snap-in
2. Right clicked ADSI Edit and selected Connect to Domain
3. Expand Domain
4. Expand Full DC (Full Domain Name)
5. Expand CN=System
6. Right Click CN=AdminSDHolder and choose Properties
7. Choose Security Tab Added BESadmin user account send as permissions making sure that the Check Mark is selected to inherit from parent the permissions entries that apply to child objects. Includes these with entries explicitly defined here
8. Use the xxx8220;Apply ontoxxx8221; drop down and select xxx8220;user objectsxxx8221;
9.In the list of permissions below select allow xxx8220;send asxxx8221;
DO NOT CHECK xxx8220;Apply these permissions to object and/or containers within this container onlyxxx8221;
10.Press Ok and keep pressing Ok till you are out of the menus
11.Wait for replication for your users to inherit the permission