02-08-2009, 01:21 PM
|
 |
Proprietor
|
|
Join Date: Nov 2008
Posts: 2,237
|
|
KB12309 - Administration accounts in protected Active Directory groups
KB12309 - Administration accounts in protected Active Directory groups
Environment
- BlackBerry® Enterprise Server for Microsoft® Exchange
- Microsoft® Exchange Server 2000, 2003 and 2007
- Windows Server® 2000, 2003, and 2008
Overview
When using the SetSendAsPermission tool to address problems with the Send As permission being revoked for the BlackBerry Enterprise Server administration account (for example, BESAdmin), the change made to the administration account is temporary and needs to be continuously reapplied. This will happen if the administration account is in a protected Microsoft® Active Directory® group.
Microsoft Active Directory user objects can be explicit or transitive members of a protected group. This means that user objects can be added to a protected group explicitly or because they are contained in a group that is added to the protected group (they are joined to the protected group by association). Rather than inheriting their permissions from a parent container, their Access Control List (ACL) is a copy of the ACL on the AdminSDHolder object.
Every hour, by default, the Domain Controller (DC) that has the Primary Domain Controller (PDC) emulator and Flexible Single Master Operation (FSMO) roles compares the ACL for user objects associated with protected groups to the ACL on the AdminSDHolder object. If any differences are found during that comparison, the user object ACL is updated to match the current ACL of the AdminSDHolder object.
To control the frequency at which the AdminSDHolder object updates security descriptors, create or modify the AdminSDProtectFrequency entry in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
When the AdminSDProtectFrequency registry entry is not present, the AdminSDHolder object updates security descriptors every 60 minutes (3600 seconds). You can use this registry entry to set this frequency to any rate between 1 minute (60 seconds) and 2 hours (7200 seconds) by entering the value in seconds. However, we do not recommend that you modify this value except for brief testing periods. Modifying this value can increase Local Security Authority Subsystem Service (LSASS) processing overhead and is not recommended by Research In Motion® or Microsoft and should only be used for testing purposes in a non-production environment.
The following are protected groups in Windows Server 2000:
- Administrators
- Domain Administrators
- Enterprise Administrators
- Schema Administrators
The following are protected groups in Windows Server 2000 SP4, Windows Server 2003 and Windows Server 2008:
- Administrators
- Account Operators
- Backup Operators
- Cert Publishers
- Domain Administrators
- Enterprise Administrators
- Print Operators
- Schema Administrators
- Server Operators
The following user objects also are protected:
Additional Information
It is possible to modify Microsoft Active Directory permissions to allow BlackBerry smartphone users who are members of protected groups to send email messages from their BlackBerry smartphones without creating secondary email accounts using the DSACLS.exe utility. For instructions on modifying the permissions that are associated with the AdminSDHolder Microsoft Active Directory object and have been changed by the recent Microsoft Exchange update, refer to the Microsoft Support Knowledge Base.
Important: This procedure is not recommended by Microsoft or by Research In Motion.
For more information and instructions on setting the Send As permission, see KB04707.
__________________
http://blog.port3101.org/hdawg/
The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.
|
Linear Mode
