Using the SetSendAsPermission tool

Article ID: KB12300

Type: Support Content

Last Modified: 01-19-2012

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Microsoft Exchange
CollapseEnvironment
  • BlackBerry® Enterprise Server
  • Microsoft® Exchange 2000, 2003 

 

CollapseOverview

The SetSendAsPermission tool allows you to automatically assign the required Send As permission for previously existing Microsoft Windows® Active Directory® user objects.

To assign the Send As permission automatically, complete one of the procedures below. After completing the appropriate procedure, if you restart the Microsoft Exchange Information Store, stop the BlackBerry Router for 20 minutes, then restart the BlackBerry Router to complete the changes. This allows the Microsoft Exchange servers to clear the cached permissions for the BlackBerry Enterprise Server administration account.

Note: Microsoft recommends changing the default time of two hours (120 minutes) for clearing the cached permissions to 20 minutes.  The default time is controlled by a registry key; therefore, the amount of time needed for clearing the permissions cache depends on the value that has been set for that registry key. The cache will also be cleared if the Microsoft Exchange Information Store is restarted. For more information, search for article 327378 in the Microsoft Support Knowledge Base or search for the Mailbox Cache Age Limit registry entry in the Microsoft TechNet web site.

If the SetSendAsPermission tool displays an error during any of these procedures, see the Troubleshooting section below or see the Send As Permission FAQ for more information. For descriptions of the switches that may be used in the SetSendAsPermission.exe command line, see the Command line parameters section below.


Procedure 1



Note: This procedure will not work for BlackBerry Enterprise Server software version 3.6.

Depending on the authentication type for the BlackBerry Configuration Database, to set the Send As permission for all BlackBerry device users on the BlackBerry Enterprise Server, use one of the command lines below.

Windows Authentication for the BlackBerry Configuration Database

From a command prompt, type the following line, then press ENTER:

SetSendAsPermission.exe -a <service_account_name> -db <database_name> -n <network_address> -o <output_file_name>

SQL Authentication for the BlackBerry Configuration Database

From a command prompt, type the following line, then press ENTER:

SetSendAsPermission.exe -a <service_account_name> -db <database_name> -n <network_address> -dbauth -dbuser <SQL_Authentication_user_name> -dbpass <SQL_Authentication_password> -o <output_file_name>


Procedure 2



Depending on the authentication type for the BlackBerry Configuration Database, if you want to make changes to only one BlackBerry Enterprise Server instance, use one of the command lines below.

Windows Authentication for the BlackBerry Configuration Database

From a command prompt, type the following line, then press ENTER:

SetSendAsPermission.exe -a <service_account_name> -db <database_name> -n <network_address> -b <BlackBerry_Enterprise_Server_name> -o <output_file_name>

SQL Authentication for the BlackBerry Configuration Database

From a command prompt, type the following line, then press ENTER:

SetSendAsPermission.exe -a <service_account_name> -db <database_name> -n <network_address> -b <BlackBerry_Enterprise_Server_name> -dbauth -dbuser <SQL_Authentication_username> -dbpass <SQL_Authentication_password> -o <output_file_name>


Procedure 3

To grant the Send As permission at the root or object levels, use one of the command lines below.

Important: If inheriting permissions is allowed, the Send As permission will be passed to all Active Directory objects below it. If new user objects are added and are set to inherit permissions, they will automatically have the Send As permission without having to run the tool again. If inheriting permissions is denied at any level below the base object used for the SetSendAsPermission tool, run the tool against all child objects for which inheriting permissions is denied.

At the root level

From a command prompt, type the following line, then press ENTER:

SetSendAsPermission.exe –a <service_account_name> -adroot

At the object level

From a command prompt, type the following line, then press ENTER:

SetSendAsPermission.exe –a <service_account_name> –adobject "ou=<organizational_unit>, dc=<domain>, dc=com"


Procedure 4

To set the Send As permission for a list of user objects, from a command prompt, type the following line, then press ENTER:

SetSendAsPermission.exe -a <service_account_name> -i <input_file_name> -o <output_file_name>

Note: To use this procedure, it is necessary to create an input text file containing user object Simple Mail Transfer Protocol (SMTP) addresses that require the Send As permission. The text file contents must be line-separated values of SMTP addresses in the following format:

<user_name>@<domain>


Procedure 5

To grant the Send As permission for one user object,  complete the following steps:

  1. From a command prompt, type the following line, then press ENTER:

    SetSendAsPermission.exe -a <service_account_name> -u

  2. Type the SMTP address of the BlackBerry device user in the <user_name>@<domain> format, then press ENTER.
CollapseAdditional Information

To download the SetSendAsPermission tool, click here.

The procedures in this article can be completed from any computer provided you have the appropriate permissions for Active Directory.

Note: The SetSendAsPermission tool only sets the Send As permission on existing Active Directory user objects unless the adroot or adobject switches are used. To set the Send As permission for any new user objects created in Active Directory or added to the BlackBerry Enterprise Server, run the SetSendAsPermission tool again. To set the Send As permission on a domain level, see KB04707.

The SetSendAsPermission tool will not be able to modify Active Directory permissions to allow BlackBerry device users who are members of protected groups to send messages. If the SetSendAsPermission tool runs successfully, but the BlackBerry device user loses the Send As permission, make sure the BlackBerry device user is not a member of a protected group or is not a former member of a protected group.

Note: It is possible to modify Active Directory permissions to allow BlackBerry device users who are members of protected groups to send messages from their BlackBerry devices without creating secondary email accounts. Microsoft Support Knowledge Base article 817433 outlines a procedure for modifying the permissions associated with the AdminSDHolder Active Directory object that were modified by the recent Exchange update. However, this procedure is not recommended by Microsoft or by Research In Motion (RIM).


Command line parameters

The command line for the SetSendAsPermission tool has the following format:

SetSendAsPermission.exe -a <service_account_name> -u <SMTP_address> -i <input_file_name> -adobject "ou=<organizational_unit>, dc=<domain>, dc=com" –adroot -db <database_name> -n <network_address> -b <server_name> -dbauth -dbuser <user_name> -dbpass <password> -o <output_file_name> -? -help

Note: Not all parameters are needed simultaneously in the command line for the SetSendAsPermission tool. Make sure to use only the parameters that are applicable for your environment.

The table below describes the parameters that may be used in the SetSendAsPermission tool command line:

Switch Description
-a <service_account_name>

BlackBerry Enterprise Server administration account in the following format:

<domain>\<administration_account_user_name>

For instructions on verifying the service account name, see the Send As Permission FAQ.

-u <SMTP_address> The SMTP address of the BlackBerry device users who will have the Send As permission set
-i <input_file_name> Name of the file containing SMTP addresses of BlackBerry device users who will have the Send As permission set
-db <database_name> This is the name of the BlackBerry Configuration Database (for example, BESMgmt). For instructions on verifying the BlackBerry Configuration Database name, see the Send As Permission FAQ.
-n <network_address> Host name or IP address of the computer hosting the BlackBerry Configuration Database.

This is required when the BlackBerry Configuration Database name is specified. For instructions on verifying the network address, see the Send As Permission FAQ.
-b <server_name> BlackBerry Enterprise Server instance name.  The default is all.
-dbauth Enables SQL Authentication. The default is Windows Authentication
-dbuser <user_name> User name needed to access the BlackBerry Configuration Database
-dbpass <password> Password needed to access the BlackBerry Configuration Database
-o <output_file_name> This is the name of the file listing the status (Success or Fail) of each SMTP address for which the SetSendAsPermission tool attempts to set the Send As permission. Any file name may be used in this parameter (for example, SetSendAs.txt).
-adroot Grants the BlackBerry Enterprise Server administration account the Send As permission at the Active Directory root level. If inheriting permissions is allowed within the environment, this will grant the Send As permission on all objects beneath the root.
-adobject "ou=<organizational_unit>, dc=<domain>, dc=com" Grants the BlackBerry Enterprise Server administration account the Send As permission to a specific Active Directory object
-? | -help Displays a help menu for the SetSendAsPermission tool



Troubleshooting

The table below describes resolutions for errors that may occur when using the SetSendAsPermission tool:

Error message Resolution
Unable to find user <SMTP address>

Run the SetSendAsPermission tool again. Verify one of the following:

  • The SMTP address is typed correctly in the command line and in the following format: <user_name>@<domain>
  • The SMTP address is on a separate line in the input text file containing the SMTP addresses that is specified in the -i <input_file_name> switch.
Unable to update the NTSecurityDescriptor

Verify that the service account name is typed correctly and in the following format:

<domain>\<administration_account_user_name>

For instructions on verifying the service account name, see the Send As Permission FAQ.

Unable to push updates to the server Log in to Windows using an administrator account that has permissions to modify the Active Directory, then run the SetSendAsPermission tool again.
Cannot open file '<file_name>'

Confirm that the path and file name are typed correctly for the input text file containing the BlackBerry device users' SMTP addresses. Make sure the path is typed in the following format:

–i <hard_disk_drive>\<directory>\<file_name>.txt

No MailboxSMTPAddr values found in database

Do one of the following:

  • Run the SetSendAsPermission tool without the –b switch.
  • Make sure that the name of the BlackBerry Enterprise Server specified in the -b switch is typed correctly and in the following format:

    –b <BlackBerry_Enterprise_Server_name>

Connection failed

Complete the following steps:

  1. Confirm that the name of the BlackBerry Configuration Database is typed correctly. For instructions on verifying the BlackBerry Configuration Database name, see the Send As Permission FAQ.
  2. Confirm that the network address of the BlackBerry Configuration Database is typed correctly. For instructions on verifying the network address, see the Send As Permission FAQ.
  3. Run the SetSendAsPermission tool again using the host name of the computer instead of the IP address and vice versa.
  4. Run the SetSendAsPermission tool again using the parameters required for SQL Authentication and make sure that they are typed correctly.
  5. Enable the Named Pipes and TCP/IP network protocols for the SQL/MSDE Service. For instructions on enabling the network protocols, see the Send As Permission FAQ.

Note: The SetSendAsPermission tool must be run from a command prompt. If a window appears to open and close after double clicking on the SetSendAs.exe file, open a command prompt, go to the folder containing the SetSendAs.exe file, and run the SetSendAsPermission tool with the appropriate switches.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.