Unlisted message error or Desktop email program unable to submit message

[cs-sysadmin]

Quote:

Originally Posted by GaryCutri

Re: AdminSDHolder

The AdminSDHolder container is a special container object inside of the System container in Active Directory. The basic function of AdminSDHolder is exactly what it says it does - it holds the Access Control List (ACL) for every admin account. This container is just a template. Once every hour, the DC that holds the PDC Emulator role goes through every account that is in built-in Administrators group and checks the ACL for each user object. It compares this ACL to that of the AdminSDHolder container and if any Access Control Entry (ACE) is different, it rips out the old ACL and copies the ACL from the AdminSDHolder over to it.

The purpose of AdminSDHolder is to prevent against a specific attack scenario. Active Directory is extremely flexible down to it' s most granular level. Because of this, a user can have write access to anything inside of a specific OU. If an admin account is moved to an OU that a non-admin has rights to, he could give himself privileged access to the admin account. AdminSDHolder tries to prevent this from happening by continuously refreshing the ACL on an admin account.

------------

in my case i need to have domain admins rights associated with my AD profile. How do i keep my admin righst and not loose my BESadmin permissions???

[BESadmin]

Quote:

Originally Posted by cs-sysadmin

------------

in my case i need to have domain admins rights associated with my AD profile. How do i keep my admin righst and not loose my BESadmin permissions???

Please refer to the following link to correct your issue:
Send As Permissions when Domain Admin

[BESadmin]

Administration accounts in protected Active Directory groups

Doc ID : KB12309
Last Modified : 2007-07-13
Document Type : What Is

Environment

• BlackBerry® Enterprise Server
• Microsoft® Exchange Server 2000 and 2003

Details

When using the SetSendAsPermission tool to address problems with the Send As permission being revoked for the BlackBerry Enterprise Server administration account (for example, BESAdmin), the change made to the administration account is temporary and needs to be continuously reapplied. This will happen if the administration account is in a protected Microsoft Windows® Active Directory® group.

Active Directory user objects can be explicit or transitive members of a protected group. This means that user objects can be added to a protected group explicitly or because they are contained in a group that is added to the protected group (they are joined to the protected group by association). Rather than inheriting their permissions from a parent container, their Access Control List (ACL) is a copy of the ACL on the AdminSDHolder object.

Every hour, the Domain Controller (DC) that has the Primary Domain Controller (PDC) emulator and Flexible Single Master Operation (FSMO) roles compares the ACL for user objects associated with protected groups to the ACL on the AdminSDHolder object. If any differences are found during that comparison, the user object ACL is updated to match the current ACL of the AdminSDHolder object.

The following are protected groups in Microsoft Windows 2000:

• Administrators
• Domain Administrators
• Enterprise Administrators
• Schema Administrators

If you apply the Microsoft hotfix described in Microsoft Support Knowledge Base article 327825, or if you install Microsoft Windows 2000 Service Pack 4, the following are protected groups in Windows Server 2003 and Windows 2000:

• Administrators
• Account Operators
• Backup Operators
• Cert Publishers
• Domain Administrators
• Enterprise Administrators
• Print Operators
• Schema Administrators
• Server Operators

The following user objects also are protected:

• Administrator
• Krbtgt

Additional Information

It is possible to modify Microsoft Active Directory permissions to allow BlackBerry device users who are members of protected groups to send messages from their BlackBerry devices without creating secondary email accounts using the DSACLS.exe utility. For instructions on modifying the permissions that are associated with the AdminSDHolder Microsoft Active Directory object and have been changed by the recent Microsoft Exchange update, review articles 817433 and 281146 in the Microsoft Support Knowledge Base.