BlackBerry Knowledge Base

 
Home  Support & Services   BlackBerry Technical Solution Center  

Assigning service account permissions for a BlackBerry Enterprise Server for Microsoft Exchange

Article ID: KB02276

Type: Support Content

Last Modified: 12-14-2011

 

Product(s) Affected:

  • BlackBerry® Enterprise Server Express for Microsoft® Exchange
  • BlackBerry® Enterprise Server for Microsoft® Exchange
  • BlackBerry® Professional Software
CollapseOverview

The following permissions can be assigned for the BlackBerry® Enterprise Server service account:

  1. Local Administrator rights on the BlackBerry Enterprise server
  2. Send as permission at the Domain level
  3. Local Security Policy permissions for the BlackBerry Enterprise Server service account
  4. Microsoft® Exchange permissions at the Administrative Group level
  5. Microsoft Exchange permissions at the Microsoft Exchange Server level
  6. Microsoft Exchange Throttling permissions for the BlackBerry Enterprise Server service account
  7. Database permissions for managing the BlackBerry Configuration Database

Note: If the BlackBerry Enterprise Server service account has not been created, create it before proceeding with the rest of this article. For detailed instructions, see the BlackBerry Enterprise Server for Microsoft Exchange: Installation Guide.

Important: The BlackBerry Enterprise Server service account should have the Domain User role, not the Domain Administrator role, or be a member of any other Protected Groups. See KB04557 for more information.

Task 1

To assign Local Administrator rights to the BlackBerry Enterprise Server service account, complete the following steps:

For a BlackBerry Enterprise Server on a Domain Controller

  1. Click Start > Programs > AdministrativeTools > ActiveDirectoryUsers andComputers.
  2. Select the Builtin folder.
  3. Double-click Administrators.
  4. On the Members tab, click Add.
  5. Type the BlackBerry Enterprise Server service account name (for example, BESAdmin), and then click Check Names.
  6. Click OK.
  7. Click Apply then OK.

For a BlackBerry Enterprise Server on a Member Server

  1. Click Start > Administrative Tools > Computer Management.
  2. In the left pane, expand System Tools and click Local Users and Groups.
  3. In the right pane, double-click Groups.
  4. Right-click Administrators and click Properties.
  5. In the Administrators Properties window, Click Add
  6. In the Select Users, Contacts, Computers, or Groups window, type the BlackBerry Enterprise Server service account name (for example, BESAdmin), and then click Check Names.
  7. Click OK.
  8. Click Apply then OK.

Task 2

To grant the Send As permission on a single account for all BlackBerry smartphone users in a Microsoft® Active Directory® domain or container, complete the following steps:

  1. Open Active Directory Users and Computers.
  2. On the View menu, select the Advanced Features option.

    Note: If Advanced Features is not selected, the Security tab will not be visible for domain and container objects.

  3. Right-click the appropriate domain or container, and then click Properties.
  4. On the Security tab, click Advanced.
  5. If the BlackBerry Enterprise Server service account that requires the Send As permission is not listed, click Add and then select the BlackBerry Enterprise Server service account name.
  6. Click OK.
  7. Double-click the BlackBerry Enterprise Server service account name.
  8. Select User Objects in the Applies Onto list.

    Note: If the Domain Controller is Windows Server® 2008, select Descendant User Objects in the Applies Onto list.
  9. Select the Send As check box.
  10. Click Apply, and then click OK.
  11. Close the Properties window, and then close Active Directory Users and Computers.

    Note: For more information about the Send As permission, see article 912918, or visit the Microsoft Support Knowledge Base and search for "Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003".

For Microsoft® Exchange Server 2007 and Microsoft® Exchange Server 2010, the Send As permission can be granted to the BlackBerry Enterprise Server service account at a container level in Active Directory by using the PowerShell command shell.

Note: This command applies the same permission described in the steps above to a specific container within Active Directory. If new BlackBerry smartphone users are added that are located in a separate Active Directory container, this command will need to be run again, specifying the new location.

In the Exchange Management Shell command prompt window, type the following and press Enter:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity CN=<Container_Name>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>

In this Distinguished Name format, the location of the object to be modified (in this case, the container in which BlackBerry smartphone users are found) is explicitly specified from most specific to least specific identifier. For example, if the domain name is www.example.com, and the container is Users, the Identity string should read: "CN=Users,DC=example,DC=com". Note that there is no domain_3 in this example, as none is required.

Successful application of this permission can be verified via Active Directory Users and Computers (Steps 1 through 4 of Task 2, above), or via the Exchange Management Shell interface. To verify that this permission has been applied using PowerShell, run the following command:

Get-Mailbox -Identity "<Display_Name>" | Get-ADPermission | where { ($_.ExtendedRights -like "*Send-As*") -and -not ($_.User -like "NT AUTHORITY\SELF") } | select Identity, User, ExtendedRights, IsInherited | FT -Wrap

Where <Display_Name> is the display name of the BlackBerry smartphone user to be verified. The following output indicates success:

Identity            User                ExtendedRights              IsInherited
--------            ----                --------------              -----------
user01              domain\BESAdmin     {Send-As}                          True

Task 3

To assign Local Security Policy permissions to the BlackBerry Enterprise Server service account, complete the following steps:

Note: This procedure allows the BlackBerry Enterprise Server service account to access the local computer and to run the BlackBerry Enterprise Server as a Windows® service.

  1. Click Start > Administrative Tools > Local Security Policy.

    NOTE: If the computer is a Domain Controller, click Start > Administrative Tools > Domain Controller Security Policy.

  2. In the Local Securities window, click Local Policies > User Rights Assignment (for Windows® Small Business Server 2008, click Start > Administrative Tools > Group Policy Management window, then Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment).
  3. Perform one of the following steps:
    • For Windows Server 2000, double-click Log on Locally.
    • For Windows Server 2003 and 2008, double-click Allow Log on Locally.
  4. Click Add User or Group.
  5. Select the BlackBerry Enterprise Server service account name, and then click Add.
  6. Click OK.
  7. In the Local Security Settings window, double-click Log On As a Service.
  8. Click Add User and then select the BlackBerry Enterprise Server service account.
  9. Click OK.

Task 4

To assign Microsoft Exchange Server permissions at the Administrative Group level, complete the following steps for the appropriate Microsoft Exchange environment:

Note: This procedure allows an administrator to manage BlackBerry smartphone users and groups.

For Microsoft Exchange Server 2000 or 2003

  1. Click Start > Programs > Microsoft Exchange > System Manager.
  2. Select Administrative Groups.
  3. Right-click First Administrative Group and select Delegate Control.
  4. In the Exchange Administration Delegation Wizard, click Next, and then click Add.
  5. Click Browse and then select the BlackBerry Enterprise Server service account.
  6. Click OK.
  7. In the Role drop-down list in the Delegate Control window, select Exchange View Only Administrator.
  8. Click OK to add the BlackBerry Enterprise Server service account to the Users and Groups list.
  9. Click Next, and then click Finish.

For Microsoft Exchange Server 2007

To set an Exchange View Only Administrator role:

  1. Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
  2. Open the command prompt as administrator, type the following and then press ENTER:

    add-exchangeadministrator <BESAdmin> -role ViewOnlyAdmin

    where < BESAdmin> is the name of the BlackBerry Enterprise Server service account.

    To check an Exchange View Only Administrator role:

    1. Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
    2. Open the command prompt as administrator, type the following and then press ENTER:

      get-exchangeadministrator | Format-List

    3. Verify that the BlackBerry Enterprise Server service account has the ViewOnlyAdmin role.

For Microsoft Exchange Server 2010

  1. Click Start > Programs > Microsoft Exchange Server 2010 > Exchange Management Shell.
  2. Open the command prompt as administrator, type the following command and then press ENTER:

    Add-RoleGroupMember "View-Only Organization Management" -Member "BESAdmin"

Task 5

To assign Microsoft Exchange Server permissions at the Microsoft Exchange Server level, complete the following steps:

For Microsoft Exchange Server 2000 or 2003

  1. Click Start > Programs > Microsoft Exchange > System Manager.
  2. Select Administrative Groups > First Administrative Group > Servers.
  3. Right-click the Microsoft Exchange Server name and then click Properties.
  4. On the Security tab, select the BlackBerry Enterprise Server service account.
  5. Select the following permissions from the Permissions list:
    • Administer Information Store
    • Send As
    • Receive As
  7. Click the Advanced button.
  8. Verify that the Select the Allow inheritable permissions from parent to propagate to this object and all child objects option is selected.
  9. Click OK.
  10. Repeat the preceding steps for each Microsoft Exchange Server that will host mailboxes within the routing group.

If inheritable rights do not propagate to the individual mail stores, to set the Send As, Receive As, and Administer information store permissions at the store level, complete the following steps from the Microsoft Exchange System Manager:

  1. Click Start > Programs > Microsoft Exchange > System Manager.
  2. Select Administrative Groups > First Administrative Group > Servers.
  3. Click on the plus sign next to the Microsoft Exchange Server name to expand the next levels.
  4. Click on the plus sign next to the First Storage Group to expand the information stores.
  5. Right-click the first Mailbox Store name and then click Properties.
  6. On the Security tab, select the BlackBerry Enterprise Server service account.
  7. Select the following permissions from the Permissions list:
    • Administer Information Store
    • Send As
    • Receive As
  9. Click the Advanced button.
  10. Verify that the Select the Allow inheritable permissions from parent to propagate to this object and all child objects option is selected.
  11. Click OK.
  12. Repeat the steps 5-11 for each Mailbox Store that will host mailboxes for this server.

For Microsoft Exchange Server 2007

To set Send As, Receive As, and AdministerInformation Store permissions, complete the following steps:

  1. Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
  2. Type the following line, and then press ENTER:

get-mailboxserver <Exchange 2007> | add-adpermission -user <BESAdmin> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Where < Exchange2007> is the name of the Microsoft Exchange Server 2007 and < BESAdmin> is the name of the BlackBerry Enterprise Server service account.

If inheritance to the individual mail stores is not enabled, to set the Send As, Receive As, and Administer information store permissions at the store level, complete the following steps from the Microsoft Exchange management shell:

get-mailboxdatabase <Exchange2007>\'First Storage Group\Mailbox Database' | add-adpermission -user <BESAdmin> -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Note: First Storage Group\Mailbox Database is the default mailbox name within Microsoft Exchange Server 2007.

 

If inheritance to the individual mail stores is not enabled on a custom mailbox database, to set the Send As, Receive As, and Administer information store permissions at the store level, complete the following steps from the Microsoft Exchange management shell:

Add-ADPermission –identity "<custom database name>" –user "<besadmin>" -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

To verify the Send As, Receive As, and Administer Information Store permissions, complete the following steps:

  1. Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
  2. Open the command prompt as administrator, type the following line and press Enter.

    get-mailboxserver <Exchange2007> | get-ADpermission -user <BESAdmin> | Format-List

    To verify the Send As, Receive As, and Administer Information Store permissions at the mailbox store level, complete the following steps:

    1. Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
    2. Open the command prompt as administrator, type the following and press Enter.

      get-mailboxdatabase <Exchange2007>\<dbname> | get-ADpermission -user <BESAdmin> | Format-List

For Microsoft Exchange Server 2010

  1. Click Start > Programs > Microsoft Exchange Server 2010 > Exchange Management Shell.
  2. Open the command prompt as administrator, type the following line and then press ENTER:

    Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

    Note: If a new mailbox database is created for Microsoft Exchange, repeat step 2 for Microsoft Exchange Server 2010.

For Microsoft Exchange 5.5

The BlackBerry Enterprise Server service account requires the Service Account Admin permissions on the Site container and Configuration container.

Task 6

To assign a throttling Policy for the BlackBerry Enterprise Server service account, complete the following steps:

Note:  This only applies for Microsoft Exchange 2010

If a BESPolicy throttling policy has not already been created, then create a new throttling policy that does not limit concurrent connections to the Microsoft Exchange Server:

  1. On the Microsoft Exchange Server, click Start > Microsoft Exchange Server 2010 > Exchange Management Shell.
  2. Type New-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null
  3. Type Set-Mailbox "BESAdmin" -ThrottlingPolicy BESPolicy.
  4. Restart the BlackBerry Controller Service.

Note: If the Microsoft Exchange Server is 2010 SP1, complete the following step as well:
type one of the following to set the permission:

set-ThrottlingPolicy BESPolicy -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL

If a BESPolicy throttling policy has already been created, but is still set to throttle concurrent connection, then modify the existing BESPolicy to disable throttling.

  1. On the Microsoft Exchange Server, click Start > Microsoft Exchange Server 2010 > Exchange Management Shell.
  2. Type Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null
  3. Type Set-Mailbox "BESAdmin" -ThrottlingPolicy BESPolicy.
  4. Restart the BlackBerry Controller Service.

    Important: Restarting the BlackBerry Enterprise Server or its services might delay email message delivery to BlackBerry smartphones.

    Note: It might take up to 20 minutes for replication to occur and BlackBerry smartphones to start.

If the preceding method does not work to reset the throttling policy, remove the existing policy and re-create a new BESPolicy.

Remove the BESPolicy by typing Remove-ThrottlingPolicy -Identity BESPolicy.

Note: A policy that is assigned to users cannot be removed. In order to remove a policy that is associated with any users, reassign the default policy to users and then remove the BESPolicy.

For more information on the Microsoft Exchange Server 2010 throttling policy and the commands to set default policy, refer to the following Microsoft document:

http://technet.microsoft.com/en-us/library/dd351178.aspx.

Task 7

If the server is a Microsoft® SQL Server®, assign the server roles by completing the following steps:

  1. Note: The following is not applicable to Microsoft SQL Server Desktop Engine (MSDE).

  2. In the Microsoft SQL Enterprise Manager, go to Microsoft SQL Servers/SQL Server Group/<SQL_server_name>.
  3. Expand the Microsoft SQL Server and expand Security.
  4. Right-click Logins.
  5. Click New Login.
  6. On the General tab, click the button next to the Name field.
  7. Select the new BlackBerry Enterprise Server service account name from the Names list.
  8. Click Add.
  9. Click OK.
  10. On the Server Roles tab, select Server Administrators and Database Creators from the Server Role list.

    Note: If running BlackBerry Enterprise Server 4.1 to 5.0, add the System Administrators role to add BlackBerry smartphone users in a role-based administration environment. For instructions, see the BlackBerry Enterprise Server for Microsoft Exchange: System Administration Guide.

  11. On the Database Access / User Mapping tab, select the check box for the BlackBerry Configuration Database.
  12. In the Database Roles for <BlackBerry_Configuration_Database_name> list, select the db_owner check box.

    For additional information on assigning the required permissions for the BlackBerry Configuration Database, see KB03112.

    For additional information on the permissions that are required to manage the BlackBerry Configuration Database, see KB03633.

CollapseEnvironment
  • BlackBerry® Enterprise Server for Microsoft® Exchange
  • BlackBerry® Enterprise Server Express for Microsoft® Exchange
  • BlackBerry® Professional Software
  • Microsoft® SQL Server®
CollapseAdditional Information

For Microsoft Exchange Server 2007, support is provided by BlackBerry Enterprise Server 4.1 SP3 to 5.0 SP2.

For Microsoft Exchange Server 2007 SP2 support, see KB20550.

For more information on configuring Exchange Web Services for Calendaring in a Microsoft Exchange 2010 Environment, see article KB20157.

For information on switching service accounts for BlackBerry Enterprise Server 4.0 to 4.1, see KB04293.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.