I need to be able to grant "send-as" permission to several mailboxes of privileged accounts in order for our Blackberry Enterprise Server to enable users to send messages from their phones.  I know that Microsoft recommends against this, but that's the way we are set up here.  Based on an earlier post here, I had enabled inheritance on the user account in AD and it worked and I thought I had the solution.  Then I discovered that AD goes through and disables inheritance on all privileged accounts every hour or so.  This BES server works properly with non-privileged accounts and works with privileged accounts as long as inheritance is enabled.

I found a KB ( http://support.microsoft.com/kb/907434 ) about using dsacls to grant this permission so that it would not be removed.  This appears to be an older article and said it refers to Exchange 2003 and 2007.  Would this procedure still be valid for Exchange 2013 on Windows 2012R2?  Is there any other way to get a specific BES admin account to have send-as permission to mailboxes of privileged accounts?

Most of our mailboxes are still on Exchange 2010, and privileged user's mailboxes work fine with that BES server and that BES admin account.  Those privileged accounts still on Exchange 2010 still have nothing listed in "send-as" in the console.  I'm not sure what the difference is.

Thank you very much for your help with this.

Hi,

Does the account belongs to a protected group? If not, the KB is apply for your issue. You can check the AD DS audit log to see who changes the permission. Maybe a scheduled scripts.

https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

Thanks,

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Hi,

Is there any update on this thread?

Thanks,

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Thank you for your replies.

As stated in my original post, these are privileged accounts, so they are members of a protected group.  The KB article I referenced did indeed turn out to correct the problem.  I had posted this because the article was old enough to not mention either Exchange 2010 or 2013, but it does seem to have worked for Exchange 2013 as well.  I created and ran the batch file that this article specified using the BES administrative account for the last line.  It did not work immediately, but a few hours later I was able to start sending email from my Blackberry.  An associated Blackberry KB article mentioned that Exchange has a permissions cache that is cleared every 2 hours, so that explains the delay.

To elaborate a little bit more in case someone else is having this problem, the Microsoft KB article above was referenced by a Blackberry knowledgebase article, KB04707 at http://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB04707&sliceId=2&cmd=displayKC&docType=kc&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

This Blackberry KB article presented 2 workarounds to allow privileged accounts to send mail from their Blackberries.  Workaround 1 is the dsacls batch file workaround that the Microsoft KB specifies.  Workaround 2 was to simply use Active Directory Users and Computers to grant the BES admin account Send As permission to the AdminSDHolder container.  I first applied Workaround 2 and waited several hours, but that workaround did NOT work.  I then applied Workaround 1 (the workaround in the MS KB article I originally referenced), and that is what corrected the problem (after a delay presumably for the Exchange permissions cache to clear).

Thank you again for your help.

Hi ,

Please check the below mentioned link and that describes the steps that needs to be executed to assign the required permissions for the besadmin account .

Assigning service account permissions for a BlackBerry Enterprise Server for Microsoft Exchange

http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=6313850D19A64E03D9AD5CA48022C8B8?externalId=KB02276&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl