Ok, so in our AD structure, all our normal users would be under one OU, and various sub-OUs. But, our domain admin users are located in a different OU. Is it possible to run this command twice, to include the different OUs? Or do I have to have all accounts under the one?
>>> Charlie Kaiser <charl...@golden-eagle.org> 9/15/2010 1:54 PM >>> Actually, it's more the other way around; it's providing the BESAdmin account with rights to send as users in the OU. For example, in section A: you're adding an inherited perm to user accounts below the OU level. You're allowing BESAdmin to send as any account in that OU. PS: You spelled identity wrong (indentity). Section B is providing the same rights but to a specific CN, so BESAdmin could send as whatever account you specify in CN=. So you'd want to set the OU in section A to the full DN of the OU where your blackberry users reside. Let's hope it's a true OU and not a container for various reasons. So let's say you had an OU named employees where all your users reside and it's in yourdomain.local. Here's what you'd need: Add-ADPermission -InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "OU=employees,DC=yourdomain,DC=local" The BESAdmin account needs that right to be able to do its job within the mailboxes. Hope that helps. *********************** Charlie Kaiser charl...@golden-eagle.org Kingman, AZ *********************** > -----Original Message----- > From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] > Sent: Wednesday, September 15, 2010 1:34 PM > To: NT System Admin Issues > Subject: BES install question > > Doing pre-installation tasks for BES and Exchange 2010. > > I've created the BESAdmin mailbox, and I'm now configuring the Exchange 2010 > permissions. It's asking me to type one of the following commands within the Exchange > Management Shell. I'm not sure what exactly the commands are trying to do, so I'm not > sure how to fill in the blanks. Can someone take a look and help me? > > Do one of the following: > > a) To set the permissions at the organizational unit level, type Add-ADPermission - > InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As - > User "BESAdmin" -Indentity "OU=<organizational > unit>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>" where <domain_1>,<domain_2>, and > <domain_3> form the name of the domain. > > b) To set the permissions at the common name level, type Add-ADPermission - > InheritedObjectType User - InheritanceType Descendents -ExtendedRights Send-As - > User "BESAdmin" -Indentity > "CN=<common_name>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>" where > <domain_1>,<domain_2>, and <domain_3> form the name of the domain. > > > > If I'm correct, these commands setup who can Send As the BESAdmin account, correct? > The documentation doesn't explain it, and I need to know exactly, so I know what to put > in as <organizational unit> or <common_name>. > > > Thanks, > > Joe Heaton > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin