Hi Ken, I understand what your saying with the regard to a seperate account, and I agree 100% with you - however he is the paying customer and doesnt want to go down that route - its his decision not mine :)
I think well just go for it - my main concern was it breaking something major in the directory more than anything. Gavin. On Jan 15, 2008 12:57 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: > > How big is this environment? If small, the fine, go ahead. If not small, > the I would not change any AdminSDHolder settings. Why? Because it'll come > back to bite you sometime later down the track. If you are in this > situation, then give the IT Manager a separate Domain Admin account for > managing domain resources. He can use his current account to logon to his > machine (and get his mail), and you can make the account a local admin on > his machine. When he needs to do DA stuff, get him to TS to the DC using his > separate DA account. > > > > Cheers > > Ken > > > > *From:* Gavin Wilby [mailto:[EMAIL PROTECTED] > *Sent:* Tuesday, 15 January 2008 11:52 PM > *To:* NT System Admin Issues > *Subject:* Blackberry and AdminSDHolder > > > > > > Hi, > > > > I have 5 users with Blackberrys on a 2003 domain. All is OK with them > other than the IT manager needs to retain his Domain Admin rights, and as we > all know if this happens then the Send as permission on the BesAdmin account > will get blocked. > > > > Microsoft suggest the following script to be run on the server to prevent > these permissions from being over written: > > > > dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send > As" > dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G > "\SELF:CA;Receive As" > dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G > "\SELF:CA;Change Password" > dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G > "\SELF:RPWP;Personal Information" > dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G > "\SELF:RPWP;Phone and Mail Options" > dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G > "\SELF:RPWP;Web Information" > dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G > "\BlackBerrySA:CA;Send As" > > This is taken from here: http://support.microsoft.com/kb/907434 > > > > My question is; is it safe to do this, would you do it on a production > server and is it reversable if it does muck things up? > > > > The IT manager does not want to mess with using other accounts or > delegation rights so, please I dont want answers back to this affect, simply > if the above ACL changes on the AD will be Ok to do. > > > > Cheers, > > > > Gavin. > > > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
