Posted by: Anthony Drewery | August 25, 2006

Updating BlackBerry Enterprise Server permissions to support store.exe changes

This is fairly old news now but something I thought worth documenting as it affected our two BES installations.

Microsoft have changed the Full Mailbox Access permissions in Exchange so that it no longer implies Send As rights. Recent fixes for store.exe include this change. When applied it affects 3rd party applications like BlackBerry Enterprise Server which previously only used Full Mailbox Access rights for the application account.

You can avoid disruption by a small amount of preparation before applying the latest Exchange fixes. You’ll need to grant the BES admin account Send As rights on the Active Directory user accounts of your BB users. You could do this individually but it would be easier to do it at OU level. You’ll need to take into account the inheritance configuration on your OUs to decide the best location(s) to set the permissions. To see the Security tab on your OU properties you’ll need to enable the Advanced Features in Active Directory Users & Computers. This is done via the View menu:


When viewing the Security tab click the Advanced button. Now click the Add button to add your BES service account. You’ll be presented with a list of permissions. Change the drop down box to User Objects then tick Allow Send As. Once you’ve Ok’d back to ADUC your permissions will be set.


Any administrative users will need to be addressed separately. Administrative users include anyone who is a member of the following groups:

Enterprise Admins
Schema Admins
Domain Admins
Cert Publishers
Backup Operators
Replicator Server Operators
Account Operators
Print Operators

It should be noted that it is good security practice not to have admin rights on your everyday mail-enabled account. 

To handle the administrative users the appropriate permissions need to be set on the AdminSDHolder container. The easiest way to do this is with the dsacls command. To use it you’ll need the Windows Server 2003 Support Tools installed. The syntax of the command is as follows:

dsacls "cn=AdminSDHolder,cn=System,dc=domain,dc=com" /G "\BESAdmin:CA;Send As"

Once all your permissions are set and verified you can go ahead and install the Exchange patches knowing that your BlackBerry users will continue to function as before. 

[tags]BlackBerry, BES[/tags]


  1. Good advise after the horse has bolted. In our case we have installed the SP2 and this is causing the problem so your good advise has come tolate, as will be the case with many users. How is it fixed now that the SP2 is isntalled and the store.exe is the issue?

    Thank you

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: