06-26-2009 11:09 PM
Gee Andy, and I thought you liked to live dangerously! All kidding aside I totally agree with you guys and I've expressed that concern to the powers that be but you know how some people are about change.
For anyone else who's trying to find a solution for this there's a very straightforward solution posted here: http://www.blackberryforums.com.au/forums/microsof
I should note that I didn't have to include the DOMAINNAME after the /G in step 3 - in fact if I put the domain name in I got an error indicating that there was no such account. It wasn't until I found a similar solution on Microsoft's website that they had the same line of code listed without the domain name - dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=c om " /G "BESadmin:CA;Send As"Message Edited by Konos on 06-26-2009 12:07 PM
It is one thing to live dangerously ... it is another to be just stupid. I say that in the kindest way ... but seriously, from a security standpoint, there really is no reason whatsoever to not follow the principle of least privilege .
I'm glad we all agree and are on the same page!