SBS 2003, BlackBerry, Send As, and AdminSDholder

  • Article

This tip comes to us courtesy of Chris Puckett.

 

We've seen an increased number of customer issues involving Exchange hotfix 895949. There's a good deal of confusion around the change in behavior that this hotfix introduces, and about the best way to resolve the change in the Send As behavior for BlackBerry customers and others who have relied on this feature. The method we're advocating below is not the only way to fix or change the behavior, but it does tend to be the easiest and least impactful in SBS environments. For a more full-featured, detailed overview of the issue and why we changed the default Exchange behavior, please see these links first:

 

https://msexchangeteam.com/archive/2006/04/28/426707.aspx

 

https://support.microsoft.com/kb/912918

 

SYMPTOMS

 

When you try to send an e-mail message in Microsoft Exchange 2000 Server or in Microsoft Exchange Server 2003, you cannot send the e-mail message. Additionally, you may receive one of the following error messages or one of the following Non Delivery Reports (NDRs):

 

• Access denied

• You do not have sufficient permission to perform this operation on this object. See the folder contact or your system administrator.

• Unlisted Message Error

• MAPI_E_NO_ACCESS -2147024891

• Failed to submit mail message for user USERNAME (HRESULT:-2147024891) Pausing user USERNAME. (Security error - Cannot access the users mailbox.)

NDRs

 

• You do not have permission to send to this recipient. For assistance, contact your system administrator.

• The message could not be sent using your mailbox. You do not have the permission to send the message on behalf of the specified user.

This issue is known to affect the following third-party products:

• Research In Motion (RIM) Blackberry Enterprise Server (BES)

• Good Technology GoodLink Wireless Messaging

CAUSE

 

This issue may occur when one of the following conditions is true:

 

• You do not have permissions to send e-mail messages as the mailbox owner in the account that you are using to send the e-mail message.

 

• You are running Microsoft Exchange 2000 Server Service Pack 3 (SP3) with a Store.exe file version that is equal to or later than version 6619.4. Version 6619.4 was first made available in the following Microsoft Knowledge Base article:

915358 A hotfix is available to change the behavior of the Full Mailbox Access permission in Exchange 2000 Server

 

• You are running Microsoft Exchange Server 2003 Service Pack 1 (SP1) with a Store.exe file version that is equal to or later than version 7233.51. Version 7233.51 was first made available in the following Microsoft Knowledge Base article:

895949 “Send As” permission behavior change in Exchange 2003

 

Note that this fix is not included with Microsoft Exchange 2003 Service Pack 2 (SP2). If you have installed the Exchange Server 2003 SP1 version of this hotfix, you must install the Service Pack 2 version after you upgrade to Service Pack 2.

 

• You are running Exchange Server 2003 SP2 with a Store.exe file version that is equal to or later than version 7650.23. Version 7650.23 was first made available in the following Microsoft Knowledge Base article:

 

895949 “Send As” permission behavior change in Exchange 2003

 

Note This change was not included in Exchange 2000 Server SP3, in Exchange Server 2003 SP1, or in Exchange Server 2003 SP2. The change was implemented after release of all of these service packs. However, the change is supported in each of them. The change will be included in future service packs for these products.

If you install Exchange Server 2003 SP2, you must install the additional update to retain the new behavior. You must do this even if you already installed the version of the update for Exchange Server 2003 SP1.

RESOLUTION

Grant the Blackberry or other application’s service account the Send As permission on every user in a container or domain.

To grant Send As for the service account on a single user account, follow these steps:

1. Start the Active Directory Users and Computers management console.
2. On the View menu, make sure that the Advanced Features option is selected. If this option is not selected, the Security page will not be visible for domain and container objects.

3. View the properties of the user account and click the Security tab. For instance, Bryan Baker.

4. The service account (BESAdmin, for instance) is not listed.

 

5. Add the service account (BESAdmin, for instance). It will default to having Read permissions, but not Send As.

6. Note: This step is optional. The only permission the service account needs is Send As, so you can remove the Read permissions if you wish. To do so, uncheck the following checkboxes in the Allow column for the service account (BESAdmin, for instance):

 

Read

Read Account Restrictions

Read General Information

Read Group Membership

Read Logon Information

Read Personal Information

Read Phone and Mail Options

Read Public Information

Read Remote Access Information

Read Web Information

7. With the service account (BESAdmin, for instance) still selected, check the following box in the Allow column:

 

Send As

8. Click OK until you have exited and saved all changes. 

 

9. Restart the Microsoft Exchange Information Store service.

ADDITIONAL INFORMATION:

If you find that the SEND AS permission is disappearing from a user a few minutes to an hour after you set it, the user is most likely a member of an AdminSDHolder protected groups either directly or indirectly (a user is a member of group X and group X is a member of one of the groups below). For more inforamation on AdminSDHolder, see article support.microsoft.com/?kbid=232199.

The AdminSDHolder protected groups are:

 

Account Operators

Administrators

Backup Operators

Cert Publishers

Domain Admins

Domain Controllers

Enterprise Admins

Print Operators

Replicator Server Operators
Schema Admins

Also in SBS:
Domain Power User

In SBS, if the SBS user was created using the Power User or Administrator user templates, then they will have this issue where the SEND AS will not stay on their Active Directory security.

 

To be able to get these users to properly keep the Send As permissions that they need to work with BlackBerry without removing them from any groups, we can use the following command to change the default permissions for the AdminSDHolder object:

 

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "MYDOMAIN\BlackBerrySA:CA;Send As"

Note: In this command, MYDOMAIN\BlackBerrySA is a placeholder for the name of the BlackBerry Service account. Change it to represent the proper account name in use for this domain, also correct the dc=mydomain,dc=com portion to match the real local domain. Make sure that you do not add a space between BlackBerrySA and ":CA”.

For instance, if your SBS server AD domain is aero8.local and the Blackberry service account is BESAdmin, then the command you would run is:

 

dsacls "cn=adminsdholder,cn=system,dc=aero8,dc=local" /G "AERO8\BESAdmin:CA;Send As"

After you run this command, wait a few minutes (it could take up to 1 hour), and the users that lost the SEND AS permissions should get it back, check it in Active Directory Users and Computers. If they do not, you can add the Send As permission back manually.