I've heard a rumor from someone at RIM that in the near future, Blackberry will not support attaching devices to administrative accounts. The person I heard it from said that Microsoft told RIM to make the change because they don't want people screwing with AdminSDHolder.
________________________________ From: Gavin Wilby [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 15, 2008 9:19 AM To: NT System Admin Issues Subject: Re: Blackberry and AdminSDHolder Hi Ken, I understand what your saying with the regard to a seperate account, and I agree 100% with you - however he is the paying customer and doesnt want to go down that route - its his decision not mine :) I think well just go for it - my main concern was it breaking something major in the directory more than anything. Gavin. On Jan 15, 2008 12:57 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote: How big is this environment? If small, the fine, go ahead. If not small, the I would not change any AdminSDHolder settings. Why? Because it'll come back to bite you sometime later down the track. If you are in this situation, then give the IT Manager a separate Domain Admin account for managing domain resources. He can use his current account to logon to his machine (and get his mail), and you can make the account a local admin on his machine. When he needs to do DA stuff, get him to TS to the DC using his separate DA account. Cheers Ken From: Gavin Wilby [mailto:[EMAIL PROTECTED] Sent: Tuesday, 15 January 2008 11:52 PM To: NT System Admin Issues Subject: Blackberry and AdminSDHolder Hi, I have 5 users with Blackberrys on a 2003 domain. All is OK with them other than the IT manager needs to retain his Domain Admin rights, and as we all know if this happens then the Send as permission on the BesAdmin account will get blocked. Microsoft suggest the following script to be run on the server to prevent these permissions from being over written: dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\SELF:CA;Send As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Receive As" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:CA;Change Password" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Phone and Mail Options" dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Web Information" dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\BlackBerrySA:CA;Send As" This is taken from here: http://support.microsoft.com/kb/907434 My question is; is it safe to do this, would you do it on a production server and is it reversable if it does muck things up? The IT manager does not want to mess with using other accounts or delegation rights so, please I dont want answers back to this affect, simply if the above ACL changes on the AD will be Ok to do. Cheers, Gavin. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
