[ExchangeList] RE: [ExchangeList] SP2 for exchange 2003 and blackberry
- From: Evan Mann <emann@xxxxxxxxxxxxxxxxxxxxx>
- To: exchangelist@xxxxxxxxxxxxx
- Date: Mon, 10 Jul 2006 12:07:22 -0400
The hotfixes that implemented changes the "send as" behavior in Exchange
SP1 and SP2 is 895949. Article 912918 details these changes. However,
any hotfixes past this point will include a newer version of store.exe,
and include the changes.
SP2 does not include a version of store.exe which includes the change to
"send as". However, if you apply any hotfixes to SP2 which brings
store.exe version to 7650.23 or higher (7233.51 or higher for SP1), then
you will bring back the send as permission effecting your BES server.
I would not let your BES server prevent you from apply critical security
patches. Here are complete details on how to work around the BES issue:
----
First, I am assuming this is an EXISTING 4.x install with everything
work just fine, only an Exchange hotfix (which updates store.exe) caused
this. To solve the problem is two fold 1) first for regular users, 2)
for elevated access users
Prereq: Your BESAdmin account should NOT have elevated access. If it
does, you need to remove it. There is absolutely no reason the BESAdmin
account needs this access. It should be a regular Domain User. This also
assumes you've granted the BESAdmin the appropriate "view only" rights
in your Exchange organization as described by the install notes for BES.
If you're sharing your BESAdmin user with some other account that needs
elevated domain access, I highly suggest you stop doing this and change
to a dedicated BESAdmin user.
1) Regular Users
-Go into AD Users and Computer, enabled the advanced view (VIew/Advanced
Features)
-Right-click on the DOMAIN root and go to Properties, then Security tab
-Click advanced and add the BESAdmin user.
-Change the "Apply onto" pull-down to USER OBJECTS ONLY
-Check SEND AS is the allow column (that's it!!)
-OK back out to AD Users and Computers
Notes: Instead of applying this security to the DOMAIN root, you can
apply it to different OU's. Just make sure you apply it to ALL OU's
where you have blackberry users under or else they won't be able to send
from their handheld
2) Elevated Access Users (blackberry users with domain admin/enterprise
admin access)
The AdminSDHolders is a property that prevents you from giving users
with elevated access certain permissions, as an internal design by
Microsoft. This is generally good for security reasons. One of the big
things it does is remove Send As permission inheritance on users with
elevated access. Why? Because it's generally a bad idea to give a user
access to Send As everyone else in the domain.
The quickest way to deal with this is to user DSACLS to grant your
BESAdmin user Send As access to AdminSDHolders property. DSACLS can make
full overrides on the internal security MS has built in. The command to
run is as follows:
dsacls "cn=AdminSDHolder,cn=system,dc=domain,dc=com" /G
"netbiosdomain\besadminuser:CA;Send As"
These fixes can take up to 2 hours apply out to Exchange's cached
security information. After they apply, Blackberry Router must be
restarted. The fix for regular users only took 20 minutes to update, but
the fix for Elevated Users took the FULL 2 hours to update for me.
________________________________
From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Mahmoud Amin
Ismail
Sent: Monday, July 10, 2006 11:47 AM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] SP2 for exchange 2003 and blackberry
I have exchange 2003 with SP1 and the critical security fix: 916803
If I upgrade to sp2 and apply the same fix , for sp2, would this have
any bad impact on Blackberry users...?
Regards,
Mahmoud Amin
Confidentiality & Disclaimer Note: This e-mail and any attachments
thereto contain protected and confidential information intended for the
sole use of the addressee individual or organization. If you are not the
addressee or an authorized agent for him/it, or if you have received
this message by error please notify the sender immediately by returning
the message, and delete this copy from your system without any illegal
use.
The Dar Group shall not be liable for the improper or incomplete
transmission of the information contained in this communication nor for
any delay in its receipt or damage to your system.
Other related posts:
- » [ExchangeList] RE: [ExchangeList] SP2 for exchange 2003 and blackberry
