Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

Reply
Guru III
knottyrope
Posts: 29,947
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook, BlackBerry Wireless Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: Domain Admins Cannot Send Emails

MMMM,

How many users do you have and how many admins do you have?

I am just trying to understand your environment.

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 5.0.4 and BES 10.2.2 with Exchange 2010 and SQL 2008


Please use plain text.
Forums Veteran II
AndyDufresne
Posts: 2,744
Registered: ‎04-01-2008
My Device: Bold

Re: Domain Admins Cannot Send Emails


MMMM wrote:

It is not just the administrator; it is anyone who knows the BES accounts password. They can log into any system or just do a Telnet as the BES account and they can get to any ones email. Of course it will show up in the logs, but you would need to monitor a lot and set a lot of triggers.

 

The default security permissions that Microsoft has placed on Administrator accounts, specifically to prevent the abuse of reading other users mail, would not work for the BES account because it will break BES?  And you know of no way to configure BES as a true service.

 

BTW, from my recollection the US government security audits do not test the BES account's access, the account is seen more of a service account than a user account. But I will need to check this on the next audit.


 

I would think the only people that know the BES Admin account password would be a trusted set of administrators ... whos actions should be monitored anyway.  I can't see your point at all with anything you're saying; sorry.

------------------------------
If you've found a solution through a post; please mark it as a solution.
If someone's was particularly helpful, give them kudo's!.


Get busy living, or get busy dying.

http://blog.port3101.org/hdawg/
Please use plain text.
New Contributor
MMMM
Posts: 8
Registered: ‎09-30-2008
My Device: Not Specified

Re: Domain Admins Cannot Send Emails


I would think the only people that know the BES Admin account password would be a trusted set of administrators ... whos actions should be monitored anyway.  I can't see your point at all with anything you're saying; sorry.


 

Yes, you would think that the BES Admin account would be known only by a trusted set of administrators.  But remember by default Domain Administrators and Exchange Administrator accounts do not have access to users email.  This is done to prevent the exact same thing that the BES administrator can do. 

Please use plain text.
Contributor
caff3in3
Posts: 11
Registered: ‎05-31-2008
My Device: Not Specified

Re: Domain Admins Cannot Send Emails

Actually they do have access to user email. You can run a BES with a domain admin account (without setting additional permissions) and the only issue you are likely to run into is one-way calendar synch.

 

You should be able to log into a workstation as a domain admin account, open outlook, create a MAPI profile for ANY user account and access the mailbox without being prompted for credentials.

Please use plain text.
Forums Veteran II
AndyDufresne
Posts: 2,744
Registered: ‎04-01-2008
My Device: Bold

Re: Domain Admins Cannot Send Emails


caff3in3 wrote:

Actually they do have access to user email. You can run a BES with a domain admin account (without setting additional permissions) and the only issue you are likely to run into is one-way calendar synch.

 

You should be able to log into a workstation as a domain admin account, open outlook, create a MAPI profile for ANY user account and access the mailbox without being prompted for credentials.


Hmnn ... not really ... Domain Admins by default are denied full access.

------------------------------
If you've found a solution through a post; please mark it as a solution.
If someone's was particularly helpful, give them kudo's!.


Get busy living, or get busy dying.

http://blog.port3101.org/hdawg/
Please use plain text.