In some small firms running Blackberry Enterprise Server or Blackberry Professional, some BES users may be Domain Admins or Admins on the server. A not-so-recent patch to 2003 enables a scavenging operation in Active Directory on accounts for users belonging to protected groups such as Administrators or Domain Admins that will clear the permissions needed by BES to access this user's mailbox. This was meant to be a safeguard against someone escalating their rights, but practically means that Admins need to use a day-to-day account for their email needs (which isn't a bad idea in itself to separate daily ops from God Mode). As with all things, there is a workaround.

You can use the Dsacls.exe utility to add the entries that are being stripped off the Admin's user objects. To do this, change the AdminSDHolder permissions. Then, add the entries that you want. Because all the entries use the security principal SELF, this workaround should not introduce any security problems.

The following workaround changes the AdminSDHolder object. Then, the AdminSDHolder object is propagated to each user account that is a member of a protected group. Follow these steps:

   1. Install the Microsoft Windows 2000 Support Tools from the Windows 2000 CD. These tools include the Dsacls.exe utility. You can use the Dsacls.exe utility to view, modify, or remove ACEs on objects in Active Directory.
   2. Create a batch file that contains the following code.

       dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options"
       dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information"

      Note Replace "dc=<mydomain>,dc=com" with the distinguished name of your domain.
   3. Wait for an hour so that Active Directory has time to rewrite the security descriptor of all the user accounts that are members of any propagated groups.
   4. After the ADC replicates the changes, all users appear as "user" instead of as "CUSTOM."

You might also apply security update 916803, security update 912442, or the daylight saving time update for Exchange Server that is described in the following article in the Microsoft Knowledge Base: 926666  (http://support.microsoft.com/kb/926666/ ) Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2. If you do this, you must prevent the AdminSDHolder from overwriting permissions that are granted to a BlackBerry Services account on protected groups. To do this, create a batch file that contains the following code:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options" 
dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information" 
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\BlackBerrySA:CA;Send As"

Note: In this batch file, BlackBerrySA is a placeholder for name of the BlackBerry Service account (normally besadmin). If you have accounts in multiple domains, you can also specify the domain in the command line by using the following format:Domain\BlackberrySA.

Alternatively, best practices recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.