One more thing to make things work - reboot your PDC.... If you are not sure what that means... reboot your main server (so if you have Small Business Server, it would be that). This is critical.. I've found out that even though everything may appear to be set right, nothing really is until a reboot. Go figure..
-Karl J.
Wednesday, June 21, 2006
Update to BlackBerry: Problems sending messages when using Enterprise Server
I forgot to mention one - very important - step that needs to be done. If your users were Domain Admins, even if you strip the Domain Admin rights from them, they will still be considered a protected account. Therefore it is necessary to follow a few additional steps to do that. Here is the informaiton you will need for that:
(UPDATE ON THIS: I am sort of inserting this paragraph after the post was published. I am still debating whether this is really necessary, especially if you strip Domain Admin rights. On one hand research suggests that it is... but then I was able to get around this for some users).
Special rules for adminSDHolder Protected Accounts
If you use the script to grant the Send As permission for a mailbox owner that is also a domain administrator, the Send As permission will not be effective. We strongly recommend that you do not mailbox-enable user accounts that have domain administrator rights or that are adminSDHolder protected.
The adminSDHolder object is a template for accounts that have broad Active Directory administrative rights. To prevent unintended elevation of privilege, any account that is protected by the adminSDHolder object must have access rights that match those that are listed on the adminSDHolder object itself.
If you change the rights or the permissions on the adminSDHolder object for a protected account, a background task will undo the change within several minutes. For example, if you grant the Send As permission on a domain administrator object for an application service account, the background task will automatically revoke the permission.
Therefore, you cannot grant the Send As permission to an application service account for an account that is protected by the adminSDHolder object unless you change the adminSDHolder object itself. If you do change the adminSDHolder object, this will change the access permissions for all protected accounts. You should only change the adminSDHolder object after a complete review of the security implications that may occur with the change.
To associate a mailbox with an account that is protected by the adminSDHolder object, follow these steps:
1. Start the Active Directory Users and Computers management console.
2. On the View menu, make sure that the Advanced Features option is selected. If this option is not selected, the Security page will not be visible for User account objects.
3. Create an ordinary user account to act as the mailbox owner.
4. Assign the ordinary user account a mailbox on an Exchange server.
5. Open the properties of the new mailbox owner account.
6. In the Exchange Advanced box, grant the Full Mailbox Access permission to the protected administrator account.
7. In the Security page, grant the Send As permission to the protected administrator account.
8. Click OK to exit the properties of the mailbox owner object.
9. Right-click the mailbox owner account object, and then click Disable Account to disable the account for all logons.
(UPDATE ON THIS: I am sort of inserting this paragraph after the post was published. I am still debating whether this is really necessary, especially if you strip Domain Admin rights. On one hand research suggests that it is... but then I was able to get around this for some users).
Special rules for adminSDHolder Protected Accounts
If you use the script to grant the Send As permission for a mailbox owner that is also a domain administrator, the Send As permission will not be effective. We strongly recommend that you do not mailbox-enable user accounts that have domain administrator rights or that are adminSDHolder protected.
The adminSDHolder object is a template for accounts that have broad Active Directory administrative rights. To prevent unintended elevation of privilege, any account that is protected by the adminSDHolder object must have access rights that match those that are listed on the adminSDHolder object itself.
If you change the rights or the permissions on the adminSDHolder object for a protected account, a background task will undo the change within several minutes. For example, if you grant the Send As permission on a domain administrator object for an application service account, the background task will automatically revoke the permission.
Therefore, you cannot grant the Send As permission to an application service account for an account that is protected by the adminSDHolder object unless you change the adminSDHolder object itself. If you do change the adminSDHolder object, this will change the access permissions for all protected accounts. You should only change the adminSDHolder object after a complete review of the security implications that may occur with the change.
To associate a mailbox with an account that is protected by the adminSDHolder object, follow these steps:
1. Start the Active Directory Users and Computers management console.
2. On the View menu, make sure that the Advanced Features option is selected. If this option is not selected, the Security page will not be visible for User account objects.
3. Create an ordinary user account to act as the mailbox owner.
4. Assign the ordinary user account a mailbox on an Exchange server.
5. Open the properties of the new mailbox owner account.
6. In the Exchange Advanced box, grant the Full Mailbox Access permission to the protected administrator account.
7. In the Security page, grant the Send As permission to the protected administrator account.
8. Click OK to exit the properties of the mailbox owner object.
9. Right-click the mailbox owner account object, and then click Disable Account to disable the account for all logons.
BlackBerry: Problems sending messages when using Enterprise Server
Many users that are currently utilizing BlackBerry Enterprise Server are experiencing a problem sending messages. Basically the message attempts to send and comes back with a red "X". The issue is documented by BlackBerry and Microsoft, however the information provided has proven inaccurate to a degree, at least in my experience. I am happy to announce that there is a fix for the problem, one slightly different than what is suggested.
First off, a little backgroun. If you are running Microsoft Updates on your MS Exchange Server than you are experiencing the problem. The same is true if you applied the hotfix described in "“Send As” permission behavior change in Exchange 2003", Article 895949, of the Microsoft Knowledgebase. Basically the behavior of the "Send As" feature has changed, and been torn away from the previous setting that controlled it - known as "Full Mailbox Access." According to Microsoft, the reason there is an issue to begin with is due to BlackBerry's installation and security assignment procedure that improperly utilizies the "Full Mailbox Access" setting. Microsoft suggests that they are simply enforcing a behavior in security that has been documented a long time ago and simply been patched now.
The solution to this problem is described by Microsoft KB-912918 and BlackBerry KB-04707. (NOTE: if the BB KB article link fails, increase the last number in the h-link incrementally as new versions will have higher numbers). However, it is my view that the articles miss out on vital information. So, I've written out the procedure with additional - critical - information. The revised procedure I've used successfully is as follows:
First off, a little backgroun. If you are running Microsoft Updates on your MS Exchange Server than you are experiencing the problem. The same is true if you applied the hotfix described in "“Send As” permission behavior change in Exchange 2003", Article 895949, of the Microsoft Knowledgebase. Basically the behavior of the "Send As" feature has changed, and been torn away from the previous setting that controlled it - known as "Full Mailbox Access." According to Microsoft, the reason there is an issue to begin with is due to BlackBerry's installation and security assignment procedure that improperly utilizies the "Full Mailbox Access" setting. Microsoft suggests that they are simply enforcing a behavior in security that has been documented a long time ago and simply been patched now.
The solution to this problem is described by Microsoft KB-912918 and BlackBerry KB-04707. (NOTE: if the BB KB article link fails, increase the last number in the h-link incrementally as new versions will have higher numbers). However, it is my view that the articles miss out on vital information. So, I've written out the procedure with additional - critical - information. The revised procedure I've used successfully is as follows:
- Stop the BlackBerry Router first (contrary to 04707). This prevents users from sending. If a send is made during this procedure, all changes will be undone.
- Go to Active Directory and REMOVE all Domain Admin / Administrator privlidges from the users that have BlackBerries. If not, your changes will be automatically undone within 60 mintes of you doing them (again not documented). Currently there is no work around.
- Go to the domain level and assign BESAdmin (or whatever you use) "Send As" rights (in Security Tab) to the *User Objects*, from the Advanced Button. This will propagate to most users but not all (Microsoft KB-912918 has the details).
- Go to the users that were Admins before and go to Properties > Security > Advanced. You will likely have to add BESAdmin to their list. When doing it, make sure to switch to USER OBJECTS first, and then check "Send As". Failure to use User Objects will be a problem, so dont miss that.
- Wait 20 minutes for the cache to clear and start BlackBerry Router.
This does clear up the issue, I've been able to do it successfully on multiple servers. Keep in midn that the alternative is not to do Microsoft Updates or not apply the hotfix, but then you are left with a potential security problem. It is a catch 22. My oppinion, I rather keep MS Update and deal with issues if they arise.
-Karl J.
Subscribe to:
Posts (Atom)