Yes, you can run it more than once to include different OUs. However, you shouldn't be using your domain admin accounts for regular user activity, like reading email. Set up alternate accounts that have the domain admin rights, and use them for nothing other than domain admin activities.
-----Original Message----- From: Joseph Heaton [mailto:[email protected]] Sent: Wednesday, September 15, 2010 4:13 PM To: NT System Admin Issues Subject: RE: BES install question Ok, so in our AD structure, all our normal users would be under one OU, and various sub-OUs. But, our domain admin users are located in a different OU. Is it possible to run this command twice, to include the different OUs? Or do I have to have all accounts under the one? >>> Charlie Kaiser <[email protected]> 9/15/2010 1:54 PM >>> Actually, it's more the other way around; it's providing the BESAdmin account with rights to send as users in the OU. For example, in section A: you're adding an inherited perm to user accounts below the OU level. You're allowing BESAdmin to send as any account in that OU. PS: You spelled identity wrong (indentity). Section B is providing the same rights but to a specific CN, so BESAdmin could send as whatever account you specify in CN=. So you'd want to set the OU in section A to the full DN of the OU where your blackberry users reside. Let's hope it's a true OU and not a container for various reasons. So let's say you had an OU named employees where all your users reside and it's in yourdomain.local. Here's what you'd need: Add-ADPermission -InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "OU=employees,DC=yourdomain,DC=local" The BESAdmin account needs that right to be able to do its job within the mailboxes. Hope that helps. *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: Joseph Heaton [mailto:[email protected]] > Sent: Wednesday, September 15, 2010 1:34 PM > To: NT System Admin Issues > Subject: BES install question > > Doing pre-installation tasks for BES and Exchange 2010. > > I've created the BESAdmin mailbox, and I'm now configuring the Exchange 2010 > permissions. It's asking me to type one of the following commands within the Exchange > Management Shell. I'm not sure what exactly the commands are trying to do, so I'm not > sure how to fill in the blanks. Can someone take a look and help me? > > Do one of the following: > > a) To set the permissions at the organizational unit level, type Add-ADPermission - > InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As - > User "BESAdmin" -Indentity "OU=<organizational > unit>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>" where <domain_1>,<domain_2>, and > <domain_3> form the name of the domain. > > b) To set the permissions at the common name level, type Add-ADPermission - > InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As - > User "BESAdmin" -Indentity > "CN=<common_name>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>" where > <domain_1>,<domain_2>, and <domain_3> form the name of the domain. > > > > If I'm correct, these commands setup who can Send As the BESAdmin account, correct? > The documentation doesn't explain it, and I need to know exactly, so I know what to put > in as <organizational unit> or <common_name>. > > > Thanks, > > Joe Heaton > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
