Thanks for your reply. I am aware of this and did handle it when I did apply the 916803 version for the exchange 2003 sp1. What I am asking for is, away of this is there is any other bad behaviour for sp2 that I have to be prepared to...? ________________________________ From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Evan Mann Sent: Monday, July 10, 2006 7:07 PM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] RE: [ExchangeList] SP2 for exchange 2003 and blackberry The hotfixes that implemented changes the "send as" behavior in Exchange SP1 and SP2 is 895949. Article 912918 details these changes. However, any hotfixes past this point will include a newer version of store.exe, and include the changes. SP2 does not include a version of store.exe which includes the change to "send as". However, if you apply any hotfixes to SP2 which brings store.exe version to 7650.23 or higher (7233.51 or higher for SP1), then you will bring back the send as permission effecting your BES server. I would not let your BES server prevent you from apply critical security patches. Here are complete details on how to work around the BES issue: ---- First, I am assuming this is an EXISTING 4.x install with everything work just fine, only an Exchange hotfix (which updates store.exe) caused this. To solve the problem is two fold 1) first for regular users, 2) for elevated access users Prereq: Your BESAdmin account should NOT have elevated access. If it does, you need to remove it. There is absolutely no reason the BESAdmin account needs this access. It should be a regular Domain User. This also assumes you've granted the BESAdmin the appropriate "view only" rights in your Exchange organization as described by the install notes for BES. If you're sharing your BESAdmin user with some other account that needs elevated domain access, I highly suggest you stop doing this and change to a dedicated BESAdmin user. 1) Regular Users -Go into AD Users and Computer, enabled the advanced view (VIew/Advanced Features) -Right-click on the DOMAIN root and go to Properties, then Security tab -Click advanced and add the BESAdmin user. -Change the "Apply onto" pull-down to USER OBJECTS ONLY -Check SEND AS is the allow column (that's it!!) -OK back out to AD Users and Computers Notes: Instead of applying this security to the DOMAIN root, you can apply it to different OU's. Just make sure you apply it to ALL OU's where you have blackberry users under or else they won't be able to send from their handheld 2) Elevated Access Users (blackberry users with domain admin/enterprise admin access) The AdminSDHolders is a property that prevents you from giving users with elevated access certain permissions, as an internal design by Microsoft. This is generally good for security reasons. One of the big things it does is remove Send As permission inheritance on users with elevated access. Why? Because it's generally a bad idea to give a user access to Send As everyone else in the domain. The quickest way to deal with this is to user DSACLS to grant your BESAdmin user Send As access to AdminSDHolders property. DSACLS can make full overrides on the internal security MS has built in. The command to run is as follows: dsacls "cn=AdminSDHolder,cn=system,dc=domain,dc=com" /G "netbiosdomain\besadminuser:CA;Send As" These fixes can take up to 2 hours apply out to Exchange's cached security information. After they apply, Blackberry Router must be restarted. The fix for regular users only took 20 minutes to update, but the fix for Elevated Users took the FULL 2 hours to update for me. ________________________________ From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Mahmoud Amin Ismail Sent: Monday, July 10, 2006 11:47 AM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] SP2 for exchange 2003 and blackberry I have exchange 2003 with SP1 and the critical security fix: 916803 If I upgrade to sp2 and apply the same fix , for sp2, would this have any bad impact on Blackberry users...? Regards, Mahmoud Amin Confidentiality & Disclaimer Note: This e-mail and any attachments thereto contain protected and confidential information intended for the sole use of the addressee individual or organization. If you are not the addressee or an authorized agent for him/it, or if you have received this message by error please notify the sender immediately by returning the message, and delete this copy from your system without any illegal use. The Dar Group shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system.