Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

Reply
Guru III
knottyrope
Posts: 30,386
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook, BlackBerry Wireless Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

What is the BESAdmin service account and why does it need certain permissions?

[ Edited ]

What is the BESAdmin service account and why does it need certain permissions?

 

I have been hearing this many times over the years, so its time to write about it finally. The biggest mistake most people make with BES is logging in as Administrator when installing, upgrading or administering BES. If it is BES related, log in with your BESAdmin service account. Lets go on to the reasons why and some of the effects. Sorry if this mostly Exchange related.

 

Active Directory

BES works with Active Directory, so the BESAdmin service account needs to have a Domain user account and also be mail enabled on an Exchange server. Since Microsoft has certain roles in exchange it is important not to give too many rights to the service account. A domain admin should never be mail enabled, think about what one malicious email could do to every PC connected to the domain. This is why Send As is revoked if BESAdmin service account is a Domain Admin. It is a security feature that many server admins either don’t know or forgot about.

 

More info here

http://www.blackberry.com/btsc/KB04557

 

Send As

BES needs Send As rights since its the BESAdmin service account that actually does the sending of emails, Your AD account does not do the actual sending. This is why it has to be applied to all BlackBerry smartphone users in a Microsoft® Active Directory® domain or container.

 

More info here on Send As

http://na.blackberry.com/eng/support/software/sendas.jsp


http://na.blackberry.com/eng/support/software/sendasfaq.jsp


Video on send as
https://www.blackberry.com/blackberrytraining/web/SendAs/Source/video/sendAs.html

 

Receive As

With out this role in Exchange, BES will be unable to retrieve email through the MAPI profile create for BESAdmin and then transfer the email to the devices.

 

Administer information

BES 5.0.2 and earlier uses a Hidden folder in the users mailbox to store info on message tracking. With out this role the folder can not be created and accessed.

 

View Only Admin role in exchange

Again this is an area that many people assign too many rights. Doing so invokes security and the BESAdmin service account will be unable to access info in the stores that it needs to. Also don’t forget the if inheritance is not enabled; you would have to do this for every user you add to BES.

 

For testing permissions

How to use the IEMSTest.exe tool to verify that the BlackBerry Enterprise Server service account can...  

 

Local Admin

With out local admin rights to the server OS, you will find it hard to install anything including BES.

With out Local Run As  rights, none of the BES services will be able to run upon server startup.

 

SQL Permissions

SQL is the heart of BES, with out it BES will not start up since all user account info is in SQL. BESAdmin needs to access the SQL database at a higher level than most apps. Server Administrators and Database Creators roles has to be enabled or BES will not function. Also make sure it is the owner of the BESMGMT database. Many people make the mistake and log on to SQL Server Management Studio with a SQL administrator account when setting up a remote SQL server, this will end up changing the owner of the database to what you loged in as. Usually you can change the owner back to BESAdmin after you are done.

 

Please use the following KB to assign Permissions for the BESAdmin service account

http://www.blackberry.com/btsc/KB02276

 

Please remember

If you want your BES and handhelds to work correctly for everyone, all of the time, then you need to follow RIM's guidelines and best practices.

Dont forget the Principle of Least Privilege...

http://en.wikipedia.org/wiki/Principle_of_least_privilege


Make yourselves normal users, and then create a secondary login with Domain Admin privileges or other elevated permissions. Only use that secondary login with elevated permissions when necessary.

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 5.0.4 and BES 10.2.2 with Exchange 2010 and SQL 2008


Please use plain text.
Contributor
SuperG
Posts: 27
Registered: ‎10-21-2010
My Device: None -BB Admin with no BB...*sigh*

Re: What is the BESAdmin service account and why does it need certain permissions?

Excellent post. Thanks Knotty!

Please use plain text.
BlackBerry Technical Advisor (Retired)
CerealBypass
Posts: 616
Registered: ‎03-25-2009
My Device: BlackBerry Curve 9360

Re: What is the BESAdmin service account and why does it need certain permissions?

Great post Knots! Some quick clarifications:

 

We need to set the Send As permission in two places, AD and Exchange. As Knotty mentioned, one is to allow the besadmin to send mail for the users (the AD permission) and the other is used for calendaring.

 

As for Receive As, we don't actually need to set this in AD, we only need it in Exchange. Likewise, it is necessary for calendaring.

 

When an AD user account is a member of Domain Admins, it has to conform to the permissions scheme found on the AdminSDHold object in AD. That's why we run into the Send As issue outlined in KB04707. If you haven't seen that article lately, check it out. It was recently rewritten with A LOT of useful information.

 

If the besadmin account is a Domain Admin, it loses the Exchange Send As permission, which won't really cause any issues with sending mail, but can prevent calendar synchonization from the device to Outlook from working correctly.

______________________________________________
The only stupid question is the one you don't ask before you reboot the BES.
Please use plain text.
Contributor
MaxTPower
Posts: 17
Registered: ‎10-13-2010
My Device: Not Specified

Re: What is the BESAdmin service account and why does it need certain permissions?

For clarification, the Receive As permission is needed to update free busy infomation so calendar appointments can be updated created etc on the handheld.  Administer information is needed to access the user's mailbox to create the hidden folder and to process email etc.  You can test it out.  By removing the Administer information store permission for the BB service account, BES cannot access user's mailbox.  Remove the Recieve As permission (along with the Send As permission on the Exchange server) and the service account will not be able to update free busy information and the user will not be able to update calendar from the handheld. But message flow would continue. 

 

Cheers.


Max

Please use plain text.
Contributor
lfcaroprese
Posts: 13
Registered: ‎01-09-2012
My Device: 8520 -

Re: What is the BESAdmin service account and why does it need certain permissions?

ok, thks. 

I did everything in yours links only found 2 thinks differents. In all my bes users exits two permission one in false an other in true (i verified with other users where the bes is ok and it's equal).

The second thing is whitch the IEMSTest.exe. never shows anything.

I used the BES Express before in the same server and it was ok until we update the exchange server 2010 to SP1 and SP2.

 


 

[PS] C:\Users\administrador\Desktop>Get-Mailbox -Identity "VBarrios" | Get-ADPermission | where { ($_.ExtendedRights -li
ke "*Send-As*") -and -not ($_.User -like "NT AUTHORITY\SELF") } | select Identity, User, ExtendedRights, IsInherited | F
T -Wrap

Identity User ExtendedRightsIsInherited
-------- ---- -------------------------
orbis.com.ar/OrbisBSAS/Comerc CORREO_BSAS\besadmin {Send-As} False
ial/Marketing/Maria Victoria
Barrios
orbis.com.ar/OrbisBSAS/Comerc CORREO_BSAS\besadmin {Send-As}True
ial/Marketing/Maria Victoria
Barrios

 

Please use plain text.