Administration accounts in protected Microsoft Active Directory groups

Article ID: KB12309

Type: Support Content

Last Modified: 04-23-2013

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Microsoft Exchange
CollapseEnvironment
  • BlackBerry Enterprise Server for Microsoft Exchange
  • Microsoft Exchange Server 2000, 2003 and 2007
  • Windows Server 2000, 2003, and 2008
CollapseOverview

When using the SetSendAsPermission tool to address problems with the Send As permission being revoked for the BlackBerry Enterprise Server administration account (for example, BESAdmin), the change made to the administration account is temporary and needs to be continuously reapplied. This will happen if the administration account is in a protected Microsoft Active Directory group.

Microsoft Active Directory user objects can be explicit or transitive members of a protected group. This means that user objects can be added to a protected group explicitly or because they are contained in a group that is added to the protected group (they are joined to the protected group by association). Rather than inheriting their permissions from a parent container, their Access Control List (ACL) is a copy of the ACL on the AdminSDHolder object.

Every hour, by default, the Domain Controller (DC) that has the Primary Domain Controller (PDC) emulator and Flexible Single Master Operation (FSMO) roles compares the ACL for user objects associated with protected groups to the ACL on the AdminSDHolder object. If any differences are found during that comparison, the user object ACL is updated to match the current ACL of the AdminSDHolder object.

To control the frequency at which the AdminSDHolder object updates security descriptors, create or modify the AdminSDProtectFrequency entry in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

When the AdminSDProtectFrequency registry entry is not present, the AdminSDHolder object updates security descriptors every 60 minutes (3600 seconds). This registry entry can be used to set this frequency to any rate between 1 minute (60 seconds) and 2 hours (7200 seconds) by entering the value in seconds. However, we do not recommend modifying this value except for brief testing periods. Modifying this value can increase Local Security Authority Subsystem Service (LSASS) processing overhead, and is not recommended by Research In Motion or Microsoft, and should only be used for testing purposes in a non-production environment.

The removal of the Send As permission occurs when the Security Descriptor Propagator Update task runs, at about 20 to 30 minute intervals. Users most commonly affected are Domain administrators but any user in a protected group will be affected by this.

For a list of protected groups, and more information about the Security Descriptor Propagator Update task and AdminSDHolder, search the Microsoft TechNet web site for the "AdminSDHolder, Protected Groups and SDPROP" article in the September 2009 edition of the TechNet online magazine. Refer to the Microsoft website to determine the most current information protected groups.

CollapseAdditional Information

It is possible to modify Microsoft Active Directory permissions to allow BlackBerry smartphone users who are members of protected groups to send email messages from their smartphones without creating secondary email accounts using the DSACLS.exe utility. For instructions on modifying the permissions that are associated with the AdminSDHolder Microsoft Active Directory object and have been changed by the recent Microsoft Exchange update, refer to the Microsoft Support Knowledge Base .

Important: This procedure is not recommended by Microsoft or by Research In Motion.


For more information and instructions on setting the Send As permission, see KB04707.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.