Permissions set at the Administrative Group or Exchange level are not inherited

[BESadmin]

Permissions set at the Administrative Group or Microsoft Exchange Server level are not inherited by the mailbox of the BlackBerry smartphone user

Doc ID : KB15196
Last Modified : 03-16-2009
Document Type : Support

Environment

• BlackBerry® Enterprise Server for Microsoft® Exchange
• Microsoft® Exchange Server 2007 Service Pack 1

Overview

Permissions set at the Administrative Group or Microsoft Exchange Server level are not inherited by the mailbox of the BlackBerry smartphone user.

Note: Permissions can be applied directly to the Mailbox Database.

Cause

The inheritance is turned off at either the Storage Group or the Mailbox Database level.

Resolution

To correct the inheritance issue, complete the following steps:

1. Use the Exchange Management Console to find the Microsoft Exchange Server name, Storage Group, and Mailbox Database name for the BlackBerry smartphone user.
   1. Open the Exchange Management Console. For more information, see Using the Exchange Management Console at www.microsoft.com.
   2. Under Recipient Configuration, click Mailbox.
   3. Right-click the mailbox for the BlackBerry smartphone user.
   4. Click Properties.
   5. Click General.
   6. Record the information in the Exchange server and Mailbox store fields.
   Once the BlackBerry smartphone user's mailbox database name is verified, use the Exchange Management Shell command to apply Send-As, Receive-As, and ms-Exch-Store-Admin permissions. Make sure the commands are run as either Domain Administrator or Exchange Full Administrator.
2. Open the Exchange Management Shell.
   1. Click Start > All Programs > Microsoft Exchange Server 2007.
   2. Click Exchange Management Shell.
3. Run the command, using one of the two options.
   • To run the command locally on Microsoft Exchange Server 2007 or Microsoft Exchange Server 2007 Service Pack 1, type the following: add-adpermission -user BESAdmin –identity “<mailbox_database_name>” -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin
   • To run the command from another computer, type the following: set -mailboxserver <messaging_server_name> add-adpermission -user BESAdmin –identity <mailbox_database_name>-accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Additional Information

The Microsoft® Active Directory® sites and services can be used to verify the mailbox permission on the Microsoft Exchange 2007 Server. In order to have the Microsoft Active Directory sites and services feature, Windows Support Tools need to be installed. If the Windows Support Tools are not installed, login to a domain controller.

1. On the domain controller, start the Active Directory Sites and Services
2. Right-click Active Directory Sites and Services
3. Click View and select Service Nodes
4. Expand Services Folder
5. Expand Microsoft Exchange > Exchange Organization Name > Administrative Groups > Services > Information Store
6. Right-click Mailbox database > Properties > Security
7. Verify that the BlackBerry Service Account has the appropriate permission for the mailbox store.