Hi, I have 5 users with Blackberrys on a 2003 domain. All is OK with them other than the IT manager needs to retain his Domain Admin rights, and as we all know if this happens then the Send as permission on the BesAdmin account will get blocked.
Microsoft suggest the following script to be run on the server to prevent these permissions from being over written: dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information" dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\BlackBerrySA:CA;Send As" This is taken from here: http://support.microsoft.com/kb/907434 My question is; is it safe to do this, would you do it on a production server and is it reversable if it does muck things up? The IT manager does not want to mess with using other accounts or delegation rights so, please I dont want answers back to this affect, simply if the above ACL changes on the AD will be Ok to do. Cheers, Gavin. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
