How to assign permissions for the BES administraton account in Microsoft Exchange

[BESadmin]

How to assign permissions for the BlackBerry Enterprise Server administraton account in Microsoft Exchange

Doc ID : KB02276
Last Modified : 2007-07-26
Document Type : What Is

Environment

• BlackBerry® Enterprise Server software version 4.1 Service Pack 3 (4.1.3) and later
• Microsoft® Exchange Server® 2007

Details

The following permissions can be assigned for the BlackBerry Enterprise Server administration account:

1. Local Administrator rights on the BlackBerry Enterprise Server
2. Local Security Policy permissions for the administration account
3. Microsoft Exchange permissions at the Administrative Group level
4. Microsoft Exchange permissions at the Exchange Server level
5. Send As permission at the Domain level

To assign the appropriate permissions, complete the tasks below.

Note: The BlackBerry Enterprise Server service account should be only a Domain User, not a Domain Administrator. See KB04557 for more information.

Task 1

To assign Local Administrator rights to the BlackBerry Enterprise Server administration account, complete the following steps:

On a Domain Controller

1. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. Select the Builtin folder.
3. Double-click Administrators.
4. On the Members tab, click Add.
5. Select the BlackBerry Enterprise Server administration account (for example, BESAdmin), then click Add.
6. Click OK.
7. Click OK again.

On a Member Server

1. Click Start > Administrative Tools > Computer Management.
2. In the left pane, expand System Tools and click Local Users and Groups.
3. In the right pane, double-click Groups.
4. Right-click Administrators and click Properties.
5. In the Select Users, Contacts, Computers, or Groups window, select the BlackBerry Enterprise Server administration account.
6. Click OK.

Task 2

To assign Local Security Policy permissions for the BlackBerry Enterprise Server administration account, complete the following steps:

Note: This allows the BlackBerry Enterprise Server administration account to access the local computer and run the BlackBerry Enterprise Server as a Microsoft Windows® Service.

1. Click Start > Administrative Tools> Local Security Policy. If the computer is a domain controller, click Start > Administrative Tools> Domain Controller Security Policy.
2. In the Local Securities window, click Local Policies > User Rights Assignment.
3. Do one of the following:
   • For Microsoft Windows Server® 2000, double-click Log on Locally.
   • For Microsoft Windows Server 2003, double-click Allow Log on Locally.
4. Click Add User or Group.
5. Select the BlackBerry Enterprise Server administration account and click Add.
6. Click OK.
7. In the Local Security Settings window, double-click Log On As a Service.
8. Click Add User and select the BlackBerry Enterprise Server administration account.
9. Click OK.

Task 3

To assign Microsoft Exchange Server permissions at the Administrative Group level, complete the following steps for your environment:

Note: This allows a system administrator to manage BlackBerry device users and groups.

On Microsoft Exchange 2000/2003

1. Go to Start > Programs > Microsoft Exchange > System Manager.
2. Select Administrative Groups.
3. Right-click First Administrative Group and select Delegate Control.
4. In the Exchange Administration Delegation Wizard, click Next, and then click Add.
5. Click Browse and select the BlackBerry Enterprise Server administration account.
6. Click OK.
7. In the Role drop-down list of the Delegate Control window, select Exchange View Only Administrator.
8. Click OK to add the BlackBerry Enterprise Server administration account to the Users and Groups list.
9. Click Next, and then click Finish.

On Microsoft Exchange 2007

To set an Exchange View Only Administrator role

1. Open Windows Powershell and open a command prompt window.
2. In the command prompt window, type the following line and press ENTER:

add-exchangeadministrator <BESAdmin> -role ViewOnlyAdmin

where <BESAdmin> is the name of the BlackBerry Enterprise Server administration account.

To check an Exchange View-Only Administrator role

1. Open Windows Powershell and open a command prompt window.
2. At the command prompt window, type the following line and press ENTER: get-exchangeadministrator | Format-List
   You should see that the BlackBerry Enterprise Server administration account has a role of ViewOnlyAdmin.

Task 4

To assign Microsoft Exchange Server permissions at the Exchange Server level, complete the following steps:

On Microsoft Exchange 2000/2003

1. Go to Start > Programs > Microsoft Exchange > System Manager.
2. Select Administrative Groups > First Administrative Group > Servers.
3. Right-click the Exchange Server name and select Properties.
4. On the Security tab, select the BlackBerry Enterprise Server administration account.
5. From the Permissions list, select the following permissions:
   • Administer Information Store
   • Send As
   • Receive As
6. Click the Advanced button and ensure that the option Select the Allow inheritable permissions from parent to propagate to this object and all child objects is checked.
7. Click OK. Note: Repeat the above steps for each Exchange Server within the routing group that will be hosting mailboxes for BlackBerry device users who have accounts on a BlackBerry Enterprise Server.

On Microsoft Exchange 2007


To set Send As, Receive As, and Administer Information Store permissions

1. Open Windows Powershell and open a command prompt window.
2. At the command prompt window, type the following line, and then press ENTER: get-mailboxserver Exchange2007 | add-adpermission -user <BESAdmin> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin
   where Exchange 2007 is the name of the Exchange 2007 Server and <BESAdmin> is the name of the BlackBerry Enterprise Server administration account.

To check the Send As, Receive As, and Administer Information Store permissions

1. Open Windows Powershell and then open a command prompt window.
2. At the command prompt window type the following line, and then press ENTER:

get-mailboxserver Exchange2007 | get-ADpermission -user BESAdmin | Format-List

On Microsoft Exchange 5.5

The BlackBerry Enterprise Server service account requires the Service Account Admin permissions on the Site container and Configuration container.

Task 5

To grant the Send As permission on a single account for all BlackBerry device users in a Microsoft Active Directory® domain or container, complete the following steps:

1. Open Active Directory Users and Computers.
2. From the View menu, select the Advanced Features option. Note: If this option is not selected, the Security page will not be visible for domain and container objects.
3. Right-click the appropriate domain or container and click Properties.
4. On the Security tab, click Advanced.
5. If the BlackBerry Enterprise Server administration account that needs the Send As permission is not listed, click Add and select the BlackBerry Enterprise Server administration account (for example, BESAdmin).
6. Click OK.
7. Double-click the BlackBerry Enterprise Server administration account.
8. In the Applies Onto list, select User Objects.
9. Select the Send As check box.
10. Click Apply, and then click OK.
11. Close the Properties window, and then close Active Directory Users and Computers.

Note: For additional methods of assigning the Send As permission, search for article 912918 in the Microsoft Support Knowledge Base.

Additional Information

Microsoft Exchange 2007 is supported in BlackBerry Enterprise Server software version 4.1 Service Pack 3 and later.

All instances of running command lines to set permissions in Exchange 2007 are advised to open a Command Prompt. This is not the case. They need to open the Microsoft Exchange Managment Shell.