Nope. Ran the Exchange Management Shell as administrator, still get the same error.
>>> Jonathan Link <jonathan.l...@gmail.com> 9/15/2010 3:39 PM >>> Elevated command prompt? On Wed, Sep 15, 2010 at 6:35 PM, Joseph Heaton <jhea...@dfg.ca.gov> wrote: > What admin level do I need to run this command? I'm logged in on a Domain > Admin account, and in the Exchange world, I'm in the Organization Management > group. I'm getting the following error: > > Active Directory operation failed on LabDC1.xxx.xx.xx.xx. This error is > not retriable. Additional information: Access is denied. > > The rest of the code as problem 4003 (INSUFF_ACCESS_RIGHTS) > > So, apparently, Domain Admin and Organization Management isn't high enough > for this... > > >>> Charlie Kaiser <charl...@golden-eagle.org> 9/15/2010 1:54 PM >>> > Actually, it's more the other way around; it's providing the BESAdmin > account with rights to send as users in the OU. For example, in section A: > you're adding an inherited perm to user accounts below the OU level. You're > allowing BESAdmin to send as any account in that OU. PS: You spelled > identity wrong (indentity). > Section B is providing the same rights but to a specific CN, so BESAdmin > could send as whatever account you specify in CN=. > > So you'd want to set the OU in section A to the full DN of the OU where > your > blackberry users reside. Let's hope it's a true OU and not a container for > various reasons. So let's say you had an OU named employees where all your > users reside and it's in yourdomain.local. Here's what you'd need: > > Add-ADPermission -InheritedObjectType User - InheritanceType Descendents > -ExtendedRights Send-As -User "BESAdmin" -Identity > "OU=employees,DC=yourdomain,DC=local" > > The BESAdmin account needs that right to be able to do its job within the > mailboxes. > > Hope that helps. > > *********************** > Charlie Kaiser > charl...@golden-eagle.org > Kingman, AZ > *********************** > > > > -----Original Message----- > > From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] > > Sent: Wednesday, September 15, 2010 1:34 PM > > To: NT System Admin Issues > > Subject: BES install question > > > > Doing pre-installation tasks for BES and Exchange 2010. > > > > I've created the BESAdmin mailbox, and I'm now configuring the Exchange > 2010 > > permissions. It's asking me to type one of the following commands within > the Exchange > > Management Shell. I'm not sure what exactly the commands are trying to > do, so I'm not > > sure how to fill in the blanks. Can someone take a look and help me? > > > > Do one of the following: > > > > a) To set the permissions at the organizational unit level, type > Add-ADPermission - > > InheritedObjectType User - InheritanceType Descendents -ExtendedRights > Send-As - > > User "BESAdmin" -Indentity "OU=<organizational > > unit>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>" where > <domain_1>,<domain_2>, and > > <domain_3> form the name of the domain. > > > > b) To set the permissions at the common name level, type Add-ADPermission > - > > InheritedObjectType User - InheritanceType Descendents -ExtendedRights > Send-As - > > User "BESAdmin" -Indentity > > "CN=<common_name>,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>" where > > <domain_1>,<domain_2>, and <domain_3> form the name of the domain. > > > > > > > > If I'm correct, these commands setup who can Send As the BESAdmin > account, > correct? > > The documentation doesn't explain it, and I need to know exactly, so I > know what to put > > in as <organizational unit> or <common_name>. > > > > > > Thanks, > > > > Joe Heaton > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to listmana...@lyris.sunbeltsoftware.com > > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
