Assigning permissions for the BlackBerry Enterprise Server service account

  • BlackBerry® Enterprise Server software version 3.5 and later for Microsoft® Exchange
  • Microsoft® Exchange 2000, 2003 and 2007The following permissions can be assigned for the BlackBerry Enterprise Server service account:
    1. Local Administrator rights on the BlackBerry Enterprise Server
    2. Local Security Policy permissions for the BlackBerry Enterprise Server service account
    3. Microsoft Exchange permissions at the Administrative Group level
    4. Microsoft Exchange permissions at the Microsoft Exchange Server level
    5. Send As permission at the Domain level
    6. Database permissions for managing the BlackBerry Configuration Database

    To assign permissions, complete the following tasks.

    Note: The BlackBerry Enterprise Server service account should be a Domain User only, not a Domain Administrator. See KB04557 for more information.


    Task 1To assign Local Administrator rights to the BlackBerry Enterprise Server service account, complete the following steps:

    If installing BlackBerry Enterprise Server on a Domain Controller

    1. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.
    2. Select the Builtin folder.
    3. Double-click Administrators.
    4. On the Members tab, click Add.
    5. Select the BlackBerry Enterprise Server service account name (for example, BESAdmin), and then click Add.
    6. Click OK.
    7. Click OK again.

    If installing BlackBerry Enterprise Server on a Member Server

    1. Click Start > Administrative Tools > Computer Management.
    2. In the left pane, expand System Tools and click Local Users and Groups.
    3. In the right pane, double-click Groups.
    4. Right-click Administrators and click Properties.
    5. In the Select Users, Contacts, Computers, or Groups window, select the BlackBerry Enterprise Server service account name.
    6. Click OK.

    Task 2

    To assign Local Security Policy permissions to the BlackBerry Enterprise Server service account, complete the following steps:

    Note: This allows the BlackBerry Enterprise Server service account to access the local computer and to run the BlackBerry Enterprise Server software as a Windows® service.

    1. Click Start > Administrative Tools > Local Security Policy.If the computer is a domain controller, click Start > Administrative ToolsDomain Controller Security Policy.
    2. In the Local Securities window, click Local Policies > User Rights Assignment.
    3. Do one of the following:
      • For Windows Server® 2000, double-click Log on Locally
      • For Windows Server 2003, double-click Allow Log on Locally
    4. Click Add User or Group.
    5. Select the BlackBerry Enterprise Server service account name and click Add.
    6. Click OK.
    7. In the Local Security Settings window, double-click Log On As a Service.
    8. Click Add User and select the BlackBerry Enterprise Server service account.
    9. Click OK.

    Task 3

    To assign Microsoft Exchange Server permissions at the Administrative Group level, complete the following steps for your environment:

    Note: This allows a system administrator to manage BlackBerry smartphone users and groups.

    On Microsoft Exchange 2000 or 2003

    1. Go to Start > Programs > Microsoft Exchange > System Manager.
    2. Select Administrative Groups.
    3. Right-click First Administrative Group and select Delegate Control.
    4. In the Exchange Administration Delegation Wizard, click Next, and then click Add.
    5. Click Browse and select the BlackBerry Enterprise Server service account.
    6. Click OK.
    7. In the Role drop-down list of the Delegate Control window, select Exchange View Only Administrator.
    8. Click OK to add the BlackBerry Enterprise Server service account to the Users and Groups list.
    9. Click Next, and then click Finish.

    On Microsoft Exchange 2007To set an Exchange View Only Administrator role:

    1. Go to Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
    2. In the command prompt window, type the following and then press ENTER:

    add-exchangeadministrator <BESAdmin> -role ViewOnlyAdmin

    where <BESAdmin> is the name of the BlackBerry Enterprise Server service account.

    To check an Exchange View Only Administrator role:

    1. Open Windows PowerShell, and then open a command prompt window.
    2. At the command prompt window, type the following and then press ENTER:

      get-exchangeadministrator | Format-List

    3. Verify that the BlackBerry Enterprise Server service account has the ViewOnlyAdmin role.

    Task 4

    To assign Microsoft Exchange Server permissions at the Microsoft Exchange Server level, complete the following steps:

    On Microsoft Exchange 2000 or 2003

    1. Go to Start > Programs > Microsoft Exchange > System Manager.
    2. Select Administrative Groups > First Administrative Group > Servers.
    3. Right-click the Microsoft Exchange Server name and select Properties.
    4. On the Security tab, select the BlackBerry Enterprise Server service account.
    5. Select the following permissions from the Permissions list:
      • Administer Information Store
      • Send As
      • Receive As
    6. Click the Advanced button.
    7. Verify that the option Select the Allow inheritable permissions from parent to propagate to this object and all child objects is checked.
    8. Click OK.
    9. Repeat the preceding steps for each Microsoft Exchange Server within the routing group that will host mailboxes for BlackBerry smartphone users with accounts on a BlackBerry Enterprise Server.

    On Microsoft Exchange 2007

    To set Send As, Receive As, and Administer Information Store permissions:

    1. Open Windows PowerShell, and then open a command prompt window.
    2. At the command prompt window, type the following line, and then press ENTER:get-mailboxserver Exchange2007 | add-adpermission -user <BESAdmin> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Adminwhere:
      •  Exchange 2007 is the name of the Microsoft Exchange 2007 Server
      • <BESAdmin> is the name of the BlackBerry Enterprise Server service account

    To check the Send As, Receive As, and Administer Information Store permissions:

    1. Open Windows PowerShell, and then open a command prompt window.
    2. At a command prompt, type the following line, and then press ENTER:

     get-mailboxserver Exchange2007 | get-ADpermission -user BESAdmin | Format-List

    On Microsoft Exchange 5.5The BlackBerry Enterprise Server service account requires the Service Account Admin permissions on the Site container and Configuration container.


    Task 5

    To grant the Send As permission on a single account for all BlackBerry smartphone users in a Microsoft® Active Directory® domain or container, complete the following steps:

    1. Open Active Directory Users and Computers.
    2. From the View menu, select the Advanced Features option.Note: If Advanced Features is not selected, the Security page will not be visible for domain and container objects.
    3. Right-click the appropriate domain or container and click Properties.
    4. On the Security tab, click Advanced.
    5. If the BlackBerry Enterprise Server service account that requires the Send As permission is not listed, click Add and select the BlackBerry Enterprise Server service account name.
    6. Click OK.
    7. Double-click the BlackBerry Enterprise Server service account name.
    8. Select User Objects in the Applies Onto list.
    9. Select the Send As check box.
    10. Click Apply and then click OK.
    11. Close the Properties window and then close Active Directory Users and Computers.

    Note: For additional ways to assign the Send As permission, see article 912918 in the Microsoft Support Knowledge Base.


    Task 6

    To assign the required permissions for managing the BlackBerry Configuration Database, see Task 2 in KB03112.

    For additional information on the permissions that are required to manage the BlackBerry Configuration Database, see KB03633.


    Additional Information

    Microsoft Exchange 2007 is supported in BlackBerry Enterprise Server software version 4.1 Service Pack 3 and later.

    If the server is a Microsoft® SQL Server™, assign the Server roles by completing the following steps:

    Note: The following is not applicable to Microsoft SQL Server Desktop Engine (MSDE).

    1. In the SQL Enterprise Manager, go to Microsoft SQL Servers/SQL Server Group/<SQL_server_name>
    2. Expand the Microsoft SQL Server and expand security.
    3. Right-click Logins and click New Login.
    4. On the General tab, click the button next to the Name field.
    5. Select the new BlackBerry Enterprise Server service account name from the Names list.
    6. Click Add, and then OK.
    7. From the Server Roles tab, select Server Administrators and Database Creators from the Server Role list.

      Note: If you are running BlackBerry Enterprise Server software version 4.1 or later, add the System Administrators role to add BlackBerry smartphone users in a role-based administration environment. For instructions, see the BlackBerry Enterprise Server for Microsoft Exchange: System Administration Guide.

    8. On the Database Access tab, select the check box for the BlackBerry Configuration Database (for example, BESMgmt).
    9. In the Database Roles for <BlackBerry_Configuration_Database_name> list, select the db_owner check box.

    See KB04293 for information on switching service accounts for BlackBerry Enterprise Server software versions 4.0 and 4.1.

  • Original Post Click Here

    Advertisements

    2 Comments »

    1. BlackBerry Enterprise Server delivers end-to-end Advanced Encryption Standard or Triple Data Encryption Standard encryption that helps ensure the confidentiality and integrity of wire-lessly transmitted information from behind the firewall to wireless devices in the field.

    2. Guys,

      Thanks for this helpful article – we were able to finally get our BB server to do the expected successfully.

      Had a quick question for you guys on a related note – how do we find out exactly who all have the SEND-AS permission on our mailboxes?

      Our IT director spoke to some MCS guys recently who in passing pointed him to a website online (http://www.activedirsec.com/assess.html), and ever since, he has been pestering us for an answer.

      He wants to know if we know how many of our IT admins may be able to send email on behalf of the CEO and the CIO and others.

      This seems awfully hard to exactly figure out. Do you have any recommendations on how we could find out and allay his concerns?

      Thought you guys might know, given your experience with this stuff.

      Many thanks,
      Sara

    RSS feed for comments on this post · TrackBack URI

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    %d bloggers like this: