How big is this environment? If small, the fine, go ahead. If not small, the I would not change any AdminSDHolder settings. Why? Because it'll come back to bite you sometime later down the track. If you are in this situation, then give the IT Manager a separate Domain Admin account for managing domain resources. He can use his current account to logon to his machine (and get his mail), and you can make the account a local admin on his machine. When he needs to do DA stuff, get him to TS to the DC using his separate DA account.
Cheers Ken From: Gavin Wilby [mailto:[EMAIL PROTECTED] Sent: Tuesday, 15 January 2008 11:52 PM To: NT System Admin Issues Subject: Blackberry and AdminSDHolder Hi, I have 5 users with Blackberrys on a 2003 domain. All is OK with them other than the IT manager needs to retain his Domain Admin rights, and as we all know if this happens then the Send as permission on the BesAdmin account will get blocked. Microsoft suggest the following script to be run on the server to prevent these permissions from being over written: dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information" dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\BlackBerrySA:CA;Send As" This is taken from here: http://support.microsoft.com/kb/907434 My question is; is it safe to do this, would you do it on a production server and is it reversable if it does muck things up? The IT manager does not want to mess with using other accounts or delegation rights so, please I dont want answers back to this affect, simply if the above ACL changes on the AD will be Ok to do. Cheers, Gavin. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
