This is fairly old news now but something I thought worth documenting as it affected our two BES installations.
Microsoft have changed the Full Mailbox Access permissions in Exchange so that it no longer implies Send As rights. Recent fixes for store.exe include this change. When applied it affects 3rd party applications like BlackBerry Enterprise Server which previously only used Full Mailbox Access rights for the application account.
You can avoid disruption by a small amount of preparation before applying the latest Exchange fixes. You’ll need to grant the BES admin account Send As rights on the Active Directory user accounts of your BB users. You could do this individually but it would be easier to do it at OU level. You’ll need to take into account the inheritance configuration on your OUs to decide the best location(s) to set the permissions. To see the Security tab on your OU properties you’ll need to enable the Advanced Features in Active Directory Users & Computers. This is done via the View menu:
When viewing the Security tab click the Advanced button. Now click the Add button to add your BES service account. You’ll be presented with a list of permissions. Change the drop down box to User Objects then tick Allow Send As. Once you’ve Ok’d back to ADUC your permissions will be set.
Any administrative users will need to be addressed separately. Administrative users include anyone who is a member of the following groups:
Replicator Server Operators
It should be noted that it is good security practice not to have admin rights on your everyday mail-enabled account.
To handle the administrative users the appropriate permissions need to be set on the AdminSDHolder container. The easiest way to do this is with the dsacls command. To use it you’ll need the Windows Server 2003 Support Tools installed. The syntax of the command is as follows:
Once all your permissions are set and verified you can go ahead and install the Exchange patches knowing that your BlackBerry users will continue to function as before.