Assigning service account permissions for a BlackBerry Enterprise Server for Microsoft Exchange

Task 1

To assign Local Administrator rights to the BlackBerry Enterprise Server service account, complete the following steps:

For a BlackBerry Enterprise Server on a Domain Controller
1.Click Start > Programs > AdministrativeTools > Active Directory Users and Computers.
2.Select the Builtin folder.
3.Double-click Administrators.
4.On the Members tab, click Add.
5.Type the BlackBerry Enterprise Server service account name (for example, BESAdmin), and then click Check Names.
6.Click OK.
7.Click Apply then OK.

For a BlackBerry Enterprise Server on a Member Server
1.Click Start > Administrative Tools > Computer Management.
2.In the left pane, expand System Tools and click Local Users and Groups.
3.In the right pane, double-click Groups.
4.Right-click Administrators and click Properties.
5.In the Administrators Properties window, Click Add
6.In the Select Users, Contacts, Computers, or Groups window, type the BlackBerry Enterprise Server service account name (for example, BESAdmin), and then click Check Names.
7.Click OK.
8.Click Apply then OK.

——————————————————————————–

Task 2

To assign Local Security Policy permissions to the BlackBerry Enterprise Server service account, complete the following steps:

Note: This procedure allows the BlackBerry Enterprise Server service account to access the local computer and to run the BlackBerry Enterprise Server as a Windows service.
1.Click Start > Administrative Tools > Local Security Policy.
NOTE: If the computer is a Domain Controller, click Start > Administrative Tools > Domain Controller Security Policy.

2.In the Local Securities window, click Local Policies > User Rights Assignment (for Windows Small Business Server 2008, click Start > Administrative Tools > Group Policy Management window, then Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment).
3.Perform one of the following steps: ◦For Windows Server 2000, double-click Log on Locally.
◦For Windows Server 2003 and 2008, double-click Allow Log on Locally.

4.Click Add User or Group.
5.Select the BlackBerry Enterprise Server service account name, and then click Add.
6.Click OK.
7.In the Local Security Settings window, double-click Log On As a Service.
8.Click Add User and then select the BlackBerry Enterprise Server service account.
9.Click OK.

——————————————————————————–

Task 3

To grant the Send As permission on a single account for all BlackBerry smartphone users in a Microsoft Active Directory domain or container, complete the following steps:
1.Open Active Directory Users and Computers.
2.On the View menu, select the Advanced Features option.
Note: If Advanced Features is not selected, the Security tab will not be visible for domain and container objects.

3.Right-click the appropriate domain or container, and then click Properties.
4.On the Security tab, click Advanced.
5.If the BlackBerry Enterprise Server service account that requires the Send As permission is not listed, click Add and then select the BlackBerry Enterprise Server service account name.
6.Click OK.
7.Double-click the BlackBerry Enterprise Server service account name.
8.Select User Objects in the Applies Onto list.

Note : If the Domain Controller is Windows Server 2008, select Descendant User Objectsin the Applies Onto list.

9.Select the Send As check box.
10.Click Apply, and then click OK.
11.Close the Properties window, and then close Active Directory Users and Computers.
Note: For more information about the Send As permission, visit the Microsoft Support Knowledge Base and search for Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003.

For Microsoft® Exchange Server 2007 and Microsoft Exchange Server 2010, the Send As permission can be granted to the BlackBerry Enterprise Server service account at a container level in Active Directory by using the PowerShell command shell.

Note: This command applies the same permission described in the steps above to a specific container within Active Directory. If new BlackBerry smartphone users are added that are located in a separate Active Directory container, this command will need to be run again, specifying the new location.

In the Exchange Management Shell command prompt window, type the following and press Enter:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity CN=,DC=,DC=,DC=

or

Add-ADPermission –InheritedObjectType User –InheritanceType Descendents –ExtendedRights Send-As –User “BESAdmin” –Identity OU=,DC=,DC=,DC=

In this Distinguished Name format, the location of the object to be modified (in this case, the container in which BlackBerry smartphone users are found) is explicitly specified from most specific to least specific identifier. For example, if the domain name is www.example.com, and the container is Users, the Identity string should read: CN=Users,DC=example,DC=com . Note that there is no domain_3 in this example, as none is required.

Successful application of this permission can be verified via Active Directory Users and Computers (Steps 1 through 4 of Task 2, above), or via the Exchange Management Shell interface. To verify that this permission has been applied using PowerShell, run the following command:

Get-Mailbox -Identity “” | Get-ADPermission | where { ($_.ExtendedRights -like “*Send-As*”) -and -not ($_.User -like “NT AUTHORITY\SELF”) } | select Identity, User, ExtendedRights, IsInherited | FT -Wrap

Where is the display name of the BlackBerry smartphone user to be verified. The following output indicates success:

Identity User ExtendedRights IsInherited
——– —- ————– ———–
user01 domain\BESAdmin {Send-As} True

——————————————————————————–

Task 4

To assign Microsoft Exchange Server permissions at the Administrative Group level, complete the following steps for the appropriate Microsoft Exchange environment:

Note: This procedure allows an administrator to manage BlackBerry smartphone users and groups.

For Microsoft Exchange Server 2000 or 2003
1.Click Start > Programs > Microsoft Exchange > System Manager.
2.Select Administrative Groups.
3.Right-click First Administrative Group and select Delegate Control.
4.In the Exchange Administration Delegation Wizard, click Next, and then click Add.
5.Click Browse and then select the BlackBerry Enterprise Server service account.
6.Click OK.
7.In the Role drop-down list in the Delegate Control window, select Exchange View Only Administrator.
8.Click OK to add the BlackBerry Enterprise Server service account to the Users and Groups list.
9.Click Next, and then click Finish.

For Microsoft Exchange Server 2007

To set an Exchange View Only Administrator role:
1.Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
2.Open the command prompt as administrator, type the following and then press ENTER:
add-exchangeadministrator -role ViewOnlyAdmin

where < BESAdmin>is the name of the BlackBerry Enterprise Server service account.

To check an Exchange View Only Administrator role:
1.Click Start>Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
2.Open the command prompt as administrator, type the following and then press ENTER:
get-exchangeadministrator | Format-List

3.Verify that the BlackBerry Enterprise Server service account has the ViewOnlyAdmin role.

For Microsoft Exchange Server 2010
1.Click Start > Programs > Microsoft Exchange Server 2010 > Exchange Management Shell.
2.Open the command prompt as administrator, type the following command and then press ENTER:
Add-RoleGroupMember “View-Only Organization Management” -Member “BESAdmin”

——————————————————————————–

Task 5

To assign Microsoft Exchange Server permissions at the Microsoft Exchange Server level, complete the following steps:

For Microsoft Exchange Server 2000 or 2003
1.Click Start > Programs > Microsoft Exchange > System Manager.
2.Select Administrative Groups > First Administrative Group > Servers.
3.Right-click the Microsoft Exchange Server name and then click Properties.
4.On the Security tab, select the BlackBerry Enterprise Server service account.
5.Select the following permissions from the Permissions list:
6.◦Administer Information Store
◦Send As
◦Receive As

7.Click the Advanced button.
8.Verify that the Select the Allow inheritable permissions from parent to propagate to this object and all child objects option is selected.
9.Click OK.
10.Repeat the preceding steps for each Microsoft Exchange Server that will host mailboxes within the routing group.

If inheritable rights do not propagate to the individual mail stores, to set the Send As, Receive As, and Administer information store permissions at the store level, complete the following steps from the Microsoft Exchange System Manager:
1.Click Start > Programs > Microsoft Exchange > System Manager.
2.Select Administrative Groups > First Administrative Group > Servers.
3.Click on the plus sign next to the Microsoft Exchange Server name to expand the next levels.
4.Click on the plus sign next to the First Storage Group to expand the information stores.
5.Right-click the first Mailbox Store name and then click Properties.
6.On the Security tab, select the BlackBerry Enterprise Server service account.
7.Select the following permissions from the Permissions list:
8.◦Administer Information Store
◦Send As
◦Receive As

9.Click the Advanced button.
10.Verify that the Select the Allow inheritable permissions from parent to propagate to this object and all child objects option is selected.
11.Click OK.
12.Repeat the steps 5-11 for each Mailbox Store that will host mailboxes for this server.

For Microsoft Exchange Server 2007

To set Send As, Receive As, and AdministerInformation Store permissions, complete the following steps:
1.Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
2.Open the command prompt as administrator.
3.Type the following line, and then press ENTER:

get-mailboxserver | add-adpermission -user -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Where is the name of the Microsoft Exchange Server 2007 and < BESAdmin> is the name of the BlackBerry Enterprise Server service account.

If inheritance to the individual mail stores is not enabled, to set the Send As, Receive As, and Administer information store permissions at the store level, complete the following steps from the Microsoft Exchange management shell:

get-mailboxdatabase \’First Storage Group\Mailbox Database’ | add-adpermission -user -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Note: First Storage Group\Mailbox Database is the default mailbox name within Microsoft Exchange Server 2007.

If inheritance to the individual mail stores is not enabled on a custom mailbox database, to set the Send As, Receive As, and Administer information store permissions at the store level, complete the following steps from the Microsoft Exchange management shell:

Add-ADPermission –identity “” –user “” -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

To verify the Send As, Receive As, and Administer Information Store permissions, complete the following steps:
1.Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
2.Open the command prompt as administrator, type the following line and press Enter.
get-mailboxserver | get-ADpermission -user | Format-List

To verify the Send As, Receive As, and Administer Information Store permissions at the mailbox store level, complete the following steps:
1.Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
2.Open the command prompt as administrator, type the following and press Enter.
get-mailboxdatabase \ | get-ADpermission -user | Format-List

Note: The Get-Mailboxdatabase cmdlet is designed to retrieve one or more mailbox database objects from a server or organization. For more info refer to the following Microsoft Technet.

For Microsoft Exchange Server 2010
1.Click Start > Programs > Microsoft Exchange Server 2010 > Exchange Management Shell.
2.Open the command prompt as administrator, type the following line and then press ENTER:
Get-MailboxDatabase | Add-ADPermission -User “BESAdmin” -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin, ms-Exch-Store-Visible

Note: The Get-Mailboxdatabase cmdlet is designed to retrieve one or more mailbox database objects from a server or organization. As such, if there are multiple Exchange servers with multiple mailbox database objects, this cmdlet will only need to be applied once provided that the Exchange servers are part of the same organization. However, for every new Exchange mailbox database created, run the cmdlet again in order to apply the Exchange permissions to that mailbox database. For more info refer to the following Microsoft Technet.

For Microsoft Exchange 5.5

The BlackBerry Enterprise Server service account requires the Service Account Admin permissions on the Site container and Configuration container.

——————————————————————————–

Task 6

To assign a throttling Policy for the BlackBerry Enterprise Server service account, complete the following steps:

Note: This only applies for Microsoft Exchange 2010

If a BESPolicy throttling policy has not already been created, then create a new throttling policy that does not limit concurrent connections to the Microsoft Exchange Server:
1.On the Microsoft Exchange Server, click Start > Microsoft Exchange Server 2010 > Exchange Management Shell.
2.Type New-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Note: If the Microsoft Exchange Server is 2010 SP1, complete the following step as well:

set-ThrottlingPolicy BESPolicy -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL
3.
Type Set-Mailbox “BESAdmin” -ThrottlingPolicy BESPolicy.

4.Restart the BlackBerry Controller Service (For existing installation).

If a BESPolicy throttling policy has already been created, but is still set to throttle concurrent connection, then modify the existing BESPolicy to disable throttling.
1.On the Microsoft Exchange Server, click Start > Microsoft Exchange Server 2010 > Exchange Management Shell.
2.Type Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null
3.Type Set-Mailbox “BESAdmin” -ThrottlingPolicy BESPolicy.
4.Restart the BlackBerry Controller Service (For existing installation).
Important : Restarting the BlackBerry Enterprise Server or its services might delay email message delivery to BlackBerry smartphones.

Note : It might take up to 20 minutes for replication to occur and BlackBerry smartphones to start.

If the preceding method does not work to reset the throttling policy, remove the existing policy and re-create a new BESPolicy.

Remove the BESPolicy by typing Remove-ThrottlingPolicy -Identity BESPolicy.

Note : A policy that is assigned to BlackBerry smartphone users cannot be removed. In order to remove a policy that is associated with any BlackBerry smartphone users, reassign the default policy to the BlackBerry smartphone user and then remove the BESPolicy.

For more information on the Microsoft Exchange Server 2010 throttling policy and the commands to set default policy, refer to Microsoft Technet and search for Remove-ThrottlingPolicy.

——————————————————————————–

Task 7

If the server is a Microsoft SQL Server, assign the server roles by completing the following steps:
1.
Note: The following is not applicable to Microsoft SQL Server Desktop Engine (MSDE).

2.In the Microsoft SQL Enterprise Manager, go to Microsoft SQL Servers/SQL Server Group/.
3.Expand the Microsoft SQL Server and expand Security.
4.Right-click Logins.
5.Click New Login.
6.On the General tab, click the button next to the Name field.
7.Select the new BlackBerry Enterprise Server service account name from the Names list.
8.Click Add.
9.Click OK.
10.On the Server Roles tab, select Server Administrators and Database Creators from the Server Role list.
Note: If running BlackBerry Enterprise Server 4.1 to 5.0, add the System Administrators role to add BlackBerry smartphone users in a role-based administration environment. For instructions, see the Administration Guide – BlackBerry Enterprise Server for Microsoft Exchange .

11.On the Database Access / User Mapping tab, select the check box for the BlackBerry Configuration Database.
12.In the Database Roles for list, select the db_owner check box.
For additional information on assigning the required permissions for the BlackBerry Configuration Database, see KB03112 .

For additional information on the permissions that are required to manage the BlackBerry Configuration Database

http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB02276&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Mark as helpful. 0

Posted in: Exchange, Server

Posted in