subtitle “Send As issue with Administrator accounts
(users who are Enterprise and/or Domain Administrator accounts)”
for a long while there has been a known issue whenever BlackBerry Server (whatever flavor) is configured for a user with admin rights. The workaround is below and is primarily credited to awesome Aussie Gary Cutri’s work:
Join Date: Sep 2006, Location: Melbourne, Posts: 1,895
To correct the "Send As" issue I have outlined the steps I use to quickly resolve this issue:
1. Stop the Blackberry Router service.
2. Open Active Directory and from the View menu select "Advanced Features". Then go to each user that will be added to the BES and open their properties, go to the security tab and add the user BESadmin and add the security permission "Send As".
3. Run the following script logged on as Administrator
Note: Only use this step if you have BlackBerry users that are members of Admin groups. Using best practice methods it is recomended that mobile user accounts aren’t members of any administration groups.
dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=com" /G "DOMAINNAME\BESadmin:CA;Send As"
Example 1: dsacls "cn=adminsdholder,cn=system,dc=experts-exchange,dc=com" /G "EXPERTS_EXCHANGE\BESadmin:CA;Send As"
Example 2: dsacls "cn=adminsdholder,cn=system,dc=blackberryforums,dc=com,dc=au" /G "BLACKBERRYFORUMS\BESadmin:CA;Send As"
Example 3: dsacls "cn=adminsdholder,cn=system,dc=mobilenetwork,dc=local" /G "MOBILENETWORK.local\BESadmin:CA;Send As"
NOTE: dsacls can be found in the Windows Server 2003 SP1 Support Tools pack: Download details: Windows Server 2003 Service Pack 1 32-bit Support Tools
4. Wait 20 minutes and then restart the BlackBerry Router service.
5. Restart the BES server.
Pasted (with minor edits) from <http://www.blackberryforums.com.au/forums/microsoft-exchange/1178-unlisted-message-error-desktop-email-program-unable-submit-message.html>
**** so why all the waiting and restarting needed above? …read more****
The AdminSDHolder container is a special container object inside of the System container in Active Directory. The basic function of AdminSDHolder is exactly what it says it does – it holds the Access Control List (ACL) for every admin account. This container is just a template. Once every hour, the DC that holds the PDC Emulator role goes through every account that is in built-in Administrators group and checks the ACL for each user object. It compares this ACL to that of the AdminSDHolder container and if any Access Control Entry (ACE) is different, it rips out the old ACL and copies the ACL from the AdminSDHolder over to it.
The purpose of AdminSDHolder is to prevent against a specific attack scenario. Active Directory is extremely flexible down to it’ s most granular level. Because of this, a user can have ‘write access’ to anything inside of a specific OU. If an admin account is moved to an OU that a non-admin has rights to, he could give himself privileged access to the admin account. AdminSDHolder tries to prevent this from happening by continuously refreshing the ACL on an admin account.
Re: Stopping the BlackBerry Router Service
Stopping the BlackBerry Router allows the Exchange Servers to clear the cached permissions for the BlackBerry Enterprise Server administration account. I am currently investigating various methods to expedite this process (e.g Restarting the Information Store Service).
Pasted from <http://www.blackberryforums.com.au/forums/microsoft-exchange/1178-unlisted-message-error-desktop-email-program-unable-submit-message.html>