Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
New Contributor
Posts: 2
Registered: ‎03-14-2010
My Device: iPhone
My Carrier: ATT

Exchange 2010 Add-ADPermission Setting up BES 5.01 error

Trying to run the following command, keep getting access denied. Any ideas? The user account I'm running it from has all the correct AD permissions.

 

 C:\Windows\system32>Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As  -User "BESAdmin" -Identity "CN=Users,DC=Domainname,DC=NET"

 

Active Directory operation failed on DomainControllerName. This error is not retriable. Additional information: Access  is denied.

 

Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

   + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException

 + FullyQualifiedErrorId : FE21B8F7,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

 

 

Guru III
Posts: 32,116
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry PRIV, Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook,BT Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: Exchange 2010 Add-ADPermission Setting up BES 5.01 error

What rights does the account you have logged in with have like is it a domain admin or in any protected group?

 

Is BESAdmin only a domain user?

 

 

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V


New Contributor
Posts: 2
Registered: ‎03-14-2010
My Device: iPhone
My Carrier: ATT

Re: Exchange 2010 Add-ADPermission Setting up BES 5.01 error

The user I am running the command has all the required permissions, 

 

-Schema

-Domain

-Enterprise

 

BESADMIN is only members of the following groups:

Domain Users

Public Folder Management

View Only Organizational Management

 

 

 

 

 

I can run the command against a single user, and it works.

 

 

Guru III
Posts: 32,116
Registered: ‎06-25-2008
My Device:

I'm rockin the BlackBerry PRIV, Passport, Z30, Z10, Q10, BlackBerry Mini Stereo Speaker, 64 gig PlayBook,BT Headset HS-700

My Carrier: I am on AT&T. Please edit your Personal Profile with your DEVICE TYPE, DEVICE OS and Carrier

Re: Exchange 2010 Add-ADPermission Setting up BES 5.01 error

Could be send as is revoked

 

See if this applies

http://support.microsoft.com/kb/907434

 




Click here to Backup the data on your BlackBerry Device! It's important, and FREE!


Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals

BESAdmin's, please make a signature with your BES environment info.


SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope


Want to thank me? Buy my KnottyRope App here


BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V


New Contributor
Posts: 4
Registered: ‎04-30-2010
My Device: N/A
My Carrier: Verizon

Re: Exchange 2010 Add-ADPermission Setting up BES 5.01 error

[ Edited ]

I was getting the same error as you while repeatedly knocking my head against my desk! Turns out it had nothing to do with permissions, the error is because you are not specifying the EXACT Distinguished Name for your BESAdmin account. (solution pulled from blackberryforums.com)

Here's how to determine the exact Distinguished Name

1. On your Exchange Server launch Active Directory Users & Computers
2. Select View | Advanced Features (Check advance features if it isn't already)
3. Go down the OU's until you locate your user (BESAdmin in my case)
4. Right-Click on your BESAdmin user and select "Properties"
5. Click on the "Attribute Editor" tab
6. Scroll down in this list of attributes until you find "distinguishedName"
7. Highlight, click view, and copy the entire Value.

Mine is "
CN=BES Admin,CN=Users,DC=mydomain,DC=com"

8. Now go back to the Exchange Management Shell and re-enter the entire "Add-ADPermission" command, this time using the Distinguished Name you found in ADUC.

Again the command is:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "
CN=BES Admin,CN=Users,DC=mydomain,DC=com"

 

Worked for me and took care of my  "Send As" warning the BES setup (going for a second try on loading it up) Smiley Happy

Highlighted
New Member
Posts: 1
Registered: ‎05-09-2010
My Device: Blackberry 8900
My Carrier: Cincinnati Bell

Re: Exchange 2010 Add-ADPermission Setting up BES 5.01 error

This can't be correct. The -Identity parameter to Add-ADPermission specifies the object on which the new permissions will be set. The effect of this change is to give the BESAdmin user Send-As permissions on itself. The whole point of this command, as it is described in the BES 5.0.1 installation guide, is to give the BESAdmin user Send-As permissions on the Users container such that those permissions will be inherited by any contained user accounts.

 

Meanwhile RIM Tech Support pointed me to a knowledge base article at 

http://www.blackberry.com/btsc/KB21225, which is relevant to this issue. Basically the article says the problem is due to the somewhat magical way that Add-ADPermission works. Not only does the user account under which the command is executed need sufficient permissions to modify permissions on an Acitve Directory object, but so does the Exchange Servers security group, and it doesn't have them by default.

 

The KB article suggests granting full control of all Active Directory objects to the Exchange Servers group. This seems excessive, so I am working figuring out on the minimum set of permissions that could be applied to the Users container to make the Add-ADPermission command work.