Me, personally, I would never ever ever modify the adminSDHolder rights on my domain.
Fair bet that after each service pack and some hotfixes that it'll get reset back to default. That being said, I think you only need the first dsacls command. The others are superfluous. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Gavin Wilby [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 15, 2008 7:52 AM To: NT System Admin Issues Subject: Blackberry and AdminSDHolder Hi, I have 5 users with Blackberrys on a 2003 domain. All is OK with them other than the IT manager needs to retain his Domain Admin rights, and as we all know if this happens then the Send as permission on the BesAdmin account will get blocked. Microsoft suggest the following script to be run on the server to prevent these permissions from being over written: dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information" dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\BlackBerrySA:CA;Send As" This is taken from here: http://support.microsoft.com/kb/907434 My question is; is it safe to do this, would you do it on a production server and is it reversable if it does muck things up? The IT manager does not want to mess with using other accounts or delegation rights so, please I dont want answers back to this affect, simply if the above ACL changes on the AD will be Ok to do. Cheers, Gavin. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
