ActiveSync and Domain Admins
I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem?
RE: ActiveSync and Domain Admins
It's not a problem, per se. It's by design. ActiveSync won't work with accounts in any of the protected groups. In order to support RBAC, Exchange has to have permissions over much of the AD. Protected accounts/groups are explicitly restricted from Exchange having control over them. Otherwise, any Exchange admin could make themselves a domain admin, enterprise admin, backup operator, server operator, etc.etc. There is technical documentation on this change, but it isn't very accessible from a normal admin perspective (that is, ok you made that change - what does it mean to me). I bugged that last week. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 9:17 AM To: MS-Exchange Admin Issues Subject: ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem?
Re: ActiveSync and Domain Admins
I've seen that with the BES server and Blackberrys, but not with iPods or iPhones. I'm a Domain Admin and I connect to our ISA server which points to one of our FE servers and i have no problem accessing my mail on my iPod. On Thu, Jun 17, 2010 at 9:16 AM, Paul Steele paul.ste...@acadiau.ca wrote: I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem? -- smsadm
Re: ActiveSync and Domain Admins
So the account you use every day is a member of the domain admins group? See if under the advanced securities tab of the user using ADUC if the Allow inheritance checkbox is checked. Chris On Thu, Jun 17, 2010 at 8:16 AM, Paul Steele paul.ste...@acadiau.ca wrote: I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem?
RE: ActiveSync and Domain Admins
Lots and lots of built in denies for Domain Admin's in Exchange so I am not surprised and I doubt you will be able to safely fix this. No offense, but I think you should rethink putting a Domain Admin account on a mobile device. Go for a non-privileged not even local admin account on your own computer account and then a separate domain admin account and use run as and remote desktop. It will hurt a little bit at first as you get used to it but there are no real productivity issues once you get the hang of it all. From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 9:17 AM To: MS-Exchange Admin Issues Subject: ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem?
Re: ActiveSync and Domain Admins
Then you also have the issue of why you are using domain admin account all of the time and not use a separate account when elevated privileges are needed. As a side note: you will get a very similar problem with a blackberry enterprise server if you try to set up a user account who has elevated domain credentials Chris On Thu, Jun 17, 2010 at 8:23 AM, Michael B. Smith mich...@smithcons.comwrote: It’s not a problem, per se. It’s by design. ActiveSync won’t work with accounts in any of the protected groups. In order to support RBAC, Exchange has to have permissions over much of the AD. Protected accounts/groups are explicitly restricted from Exchange having control over them. Otherwise, any Exchange admin could make themselves a domain admin, enterprise admin, backup operator, server operator, etc.etc. There is technical documentation on this change, but it isn’t very accessible from a “normal admin” perspective (that is, ok you made that change – what does it mean to me). I bugged that last week. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com *From:* Paul Steele [mailto:paul.ste...@acadiau.ca] *Sent:* Thursday, June 17, 2010 9:17 AM *To:* MS-Exchange Admin Issues *Subject:* ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem?
RE: ActiveSync and Domain Admins
Which just means you aren't running Exchange 2010. :) Ever since the security change that Exchange introduced in Exchange 2003 sp2 it has not been recommended or a best practice for high privilege accounts to have mailboxes. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: sms adm [mailto:sms...@gmail.com] Sent: Thursday, June 17, 2010 9:26 AM To: MS-Exchange Admin Issues Subject: Re: ActiveSync and Domain Admins I've seen that with the BES server and Blackberrys, but not with iPods or iPhones. I'm a Domain Admin and I connect to our ISA server which points to one of our FE servers and i have no problem accessing my mail on my iPod. On Thu, Jun 17, 2010 at 9:16 AM, Paul Steele paul.ste...@acadiau.camailto:paul.ste...@acadiau.ca wrote: I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem? -- smsadm
RE: ActiveSync and Domain Admins
across an article that said that ActiveSync does not work if the user is in the Domain Admins group. The Blackberry BES server has a similar caveat; it's a by-design security related thing. The Long and short of it is the best practice of not using your domain admin account for day-to-day tasks such as web browsing, email, etc... Set up a new account (psteelea or something) with domain admin rights; remove domain admin membership from your personal account. If you don't want to do that there are ways around it by editing the domain security templates. You could probably find how to do that with a bit of searching. Well, this method does work for BES, but up to you to figure out if a similar change works for activesync since it's probably a bit different in what specific rights/accounts need perms. ~JasonG
RE: ActiveSync and Domain Admins
Correct on both counts. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Chris [mailto:cmu...@gmail.com] Sent: Thursday, June 17, 2010 9:28 AM To: MS-Exchange Admin Issues Subject: Re: ActiveSync and Domain Admins Then you also have the issue of why you are using domain admin account all of the time and not use a separate account when elevated privileges are needed. As a side note: you will get a very similar problem with a blackberry enterprise server if you try to set up a user account who has elevated domain credentials Chris On Thu, Jun 17, 2010 at 8:23 AM, Michael B. Smith mich...@smithcons.commailto:mich...@smithcons.com wrote: It's not a problem, per se. It's by design. ActiveSync won't work with accounts in any of the protected groups. In order to support RBAC, Exchange has to have permissions over much of the AD. Protected accounts/groups are explicitly restricted from Exchange having control over them. Otherwise, any Exchange admin could make themselves a domain admin, enterprise admin, backup operator, server operator, etc.etc. There is technical documentation on this change, but it isn't very accessible from a normal admin perspective (that is, ok you made that change - what does it mean to me). I bugged that last week. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Steele [mailto:paul.ste...@acadiau.camailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 9:17 AM To: MS-Exchange Admin Issues Subject: ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem?
Mail Flow Between Forests
During our move of mailboxes down to the Exchange 2010 resource forest, we want to keep e-mail addresses the same as well as no interruption of mail flow between the two forests. I know on the Exchange 2010 side, I need to create a Send Connector that routes mail back through the legacy Exchange 2003 forest until all of the mailboxes of that forest is moved over. What option do I need to choose for the Send Connector on the 2010 side for the intended use? Would it be Custom, Internal or Partner? I am leading towards partner, but I can't get it to work. I have entered the IP address of the HT server in the resource forest on the Default SMTP Virtual Server for Exchange 2003. Chris Pohlschneider Holloway Sportswear Network Administrator chris.pohlschnei...@hollowayusa.com 937-494-2559
RE: ActiveSync and Domain Admins
Basic Best Practice says you should have at least two accounts. One privileged and one Joe User. Privileged accounts should never be mail enabled. M From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 6:17 AM To: MS-Exchange Admin Issues Subject: ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem?
New BES 5.0 server but can't login to BAS
We installed BES 5.0 MR3 yesterday and have migrated a few users. All seems fine except that we cannot login to Blackberry Administrative Service. We get the error The username, password or domain is not correct. Please correct the entry It's an outstanding issue which RIM developers have not resolved as mentioned in the article below: http://www.blackberry.com/btsc/search.do?cmd=displayKCdocType=kcexternalId=KB17949 We have attempted to follow Workaround 1 as described in the article however we find the 'how-to' a bit vague so we aren't even sure that what we did is what we're supposed to do. Just wondering if anyone else has encountered this if you were able to get around it. Thanks in advance. -- Tammy George Sr. Systems Operator Technology Services Acadia University tel: (902) 585-1158 fax: (902) 585-1066
RE: ActiveSync and Domain Admins
RBAC is very, very cool and at the same time kinda like watching paint dry. Possibly the biggest leap forward for Exchange to date. All MS server side Apps will follow this model. Learn it, love it. Of course all my opinion. M From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, June 17, 2010 6:23 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins It's not a problem, per se. It's by design. ActiveSync won't work with accounts in any of the protected groups. In order to support RBAC, Exchange has to have permissions over much of the AD. Protected accounts/groups are explicitly restricted from Exchange having control over them. Otherwise, any Exchange admin could make themselves a domain admin, enterprise admin, backup operator, server operator, etc.etc. There is technical documentation on this change, but it isn't very accessible from a normal admin perspective (that is, ok you made that change - what does it mean to me). I bugged that last week. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 9:17 AM To: MS-Exchange Admin Issues Subject: ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem?
Re: New BES 5.0 server but can't login to BAS
We have to logon using the BAS account. Even after service pak we are not able to use AD logon. Have a script to reset pw for that account. On Thu, Jun 17, 2010 at 8:48 AM, Tammy George tammy.geo...@acadiau.cawrote: We installed BES 5.0 MR3 yesterday and have migrated a few users. All seems fine except that we cannot login to Blackberry Administrative Service. We get the error “The username, password or domain is not correct. Please correct the entry” It’s an outstanding issue which RIM developers have not resolved as mentioned in the article below: http://www.blackberry.com/btsc/search.do?cmd=displayKCdocType=kcexternalId=KB17949 We have attempted to follow Workaround 1 as described in the article however we find the ‘how-to’ a bit vague so we aren’t even sure that what we did is what we’re supposed to do. Just wondering if anyone else has encountered this if you were able to get around it. Thanks in advance. -- Tammy George Sr. Systems Operator Technology Services Acadia University tel: (902) 585-1158 fax: (902) 585-1066
RE: Mail Flow Between Forests
You need custom on the exchange 2010 side. Don't put an IP address on default SMTP VS on the 2003 side. Create an SMTP connector their too. If you put the IP address on the VS, you'll eventually get authentication errors that won't make sense. :-P Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Chris Pohlschneider [mailto:chris.pohlschnei...@hollowayusa.com] Sent: Thursday, June 17, 2010 9:44 AM To: MS-Exchange Admin Issues Subject: Mail Flow Between Forests During our move of mailboxes down to the Exchange 2010 resource forest, we want to keep e-mail addresses the same as well as no interruption of mail flow between the two forests. I know on the Exchange 2010 side, I need to create a Send Connector that routes mail back through the legacy Exchange 2003 forest until all of the mailboxes of that forest is moved over. What option do I need to choose for the Send Connector on the 2010 side for the intended use? Would it be Custom, Internal or Partner? I am leading towards partner, but I can't get it to work. I have entered the IP address of the HT server in the resource forest on the Default SMTP Virtual Server for Exchange 2003. Chris Pohlschneider Holloway Sportswear Network Administrator chris.pohlschnei...@hollowayusa.commailto:chris.pohlschnei...@hollowayusa.com 937-494-2559
RE: ActiveSync and Domain Admins
And in Exchange 2010 sp1 it's much more accessible and usable. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Matt Moore [mailto:mattmoore...@hotmail.com] Sent: Thursday, June 17, 2010 9:54 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins RBAC is very, very cool and at the same time kinda like watching paint dry. Possibly the biggest leap forward for Exchange to date. All MS server side Apps will follow this model. Learn it, love it. Of course all my opinion. M From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, June 17, 2010 6:23 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins It's not a problem, per se. It's by design. ActiveSync won't work with accounts in any of the protected groups. In order to support RBAC, Exchange has to have permissions over much of the AD. Protected accounts/groups are explicitly restricted from Exchange having control over them. Otherwise, any Exchange admin could make themselves a domain admin, enterprise admin, backup operator, server operator, etc.etc. There is technical documentation on this change, but it isn't very accessible from a normal admin perspective (that is, ok you made that change - what does it mean to me). I bugged that last week. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 9:17 AM To: MS-Exchange Admin Issues Subject: ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem?
Re: New BES 5.0 server but can't login to BAS
I hope their phones work better than their software. My experience with their software is that it is pitiful and unpredictable. On Thu, Jun 17, 2010 at 9:58 AM, Jeff Brown 2jbr...@gmail.com wrote: We have to logon using the BAS account. Even after service pak we are not able to use AD logon. Have a script to reset pw for that account. On Thu, Jun 17, 2010 at 8:48 AM, Tammy George tammy.geo...@acadiau.cawrote: We installed BES 5.0 MR3 yesterday and have migrated a few users. All seems fine except that we cannot login to Blackberry Administrative Service. We get the error “The username, password or domain is not correct. Please correct the entry” It’s an outstanding issue which RIM developers have not resolved as mentioned in the article below: http://www.blackberry.com/btsc/search.do?cmd=displayKCdocType=kcexternalId=KB17949 We have attempted to follow Workaround 1 as described in the article however we find the ‘how-to’ a bit vague so we aren’t even sure that what we did is what we’re supposed to do. Just wondering if anyone else has encountered this if you were able to get around it. Thanks in advance. -- Tammy George Sr. Systems Operator Technology Services Acadia University tel: (902) 585-1158 fax: (902) 585-1066 -- smsadm
RE: ActiveSync and Domain Admins
I'm in the domain admins group, and I got my Windows Mobile to work after migrating to 2010 by going in and enabling inheritance on my user account in AD. The adminSDholder process will disable inheritance again but it appears that once you enable it and get AS working, it continues to work after inheritance is disabled again. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, June 17, 2010 9:00 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins And in Exchange 2010 sp1 it's much more accessible and usable. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Matt Moore [mailto:mattmoore...@hotmail.com] Sent: Thursday, June 17, 2010 9:54 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins RBAC is very, very cool and at the same time kinda like watching paint dry. Possibly the biggest leap forward for Exchange to date. All MS server side Apps will follow this model. Learn it, love it. Of course all my opinion. M From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, June 17, 2010 6:23 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins It's not a problem, per se. It's by design. ActiveSync won't work with accounts in any of the protected groups. In order to support RBAC, Exchange has to have permissions over much of the AD. Protected accounts/groups are explicitly restricted from Exchange having control over them. Otherwise, any Exchange admin could make themselves a domain admin, enterprise admin, backup operator, server operator, etc.etc. There is technical documentation on this change, but it isn't very accessible from a normal admin perspective (that is, ok you made that change - what does it mean to me). I bugged that last week. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 9:17 AM To: MS-Exchange Admin Issues Subject: ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem? ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
RE: Mail Flow Between Forests
I removed the IP of the HT of the resource forest within Exchange 2003 SMTP VS. Now I created the send connector on Exchange 2010 and chose custom. Here are the other options that I selected as well. For some reason it is still getting hung up in the queue on the 2010 server and never delivers the message to someone on Exchange 2003 server. Address Space SMTP= domain name of the Exchange 2003 server (example.com) Route Mail through the following smart host (IP address of the Exchange 2003 server) Did not choose use DNS records to route mail From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, June 17, 2010 9:58 AM To: MS-Exchange Admin Issues Subject: RE: Mail Flow Between Forests You need custom on the exchange 2010 side. Don't put an IP address on default SMTP VS on the 2003 side. Create an SMTP connector their too. If you put the IP address on the VS, you'll eventually get authentication errors that won't make sense. :-P Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Chris Pohlschneider [mailto:chris.pohlschnei...@hollowayusa.com] Sent: Thursday, June 17, 2010 9:44 AM To: MS-Exchange Admin Issues Subject: Mail Flow Between Forests During our move of mailboxes down to the Exchange 2010 resource forest, we want to keep e-mail addresses the same as well as no interruption of mail flow between the two forests. I know on the Exchange 2010 side, I need to create a Send Connector that routes mail back through the legacy Exchange 2003 forest until all of the mailboxes of that forest is moved over. What option do I need to choose for the Send Connector on the 2010 side for the intended use? Would it be Custom, Internal or Partner? I am leading towards partner, but I can't get it to work. I have entered the IP address of the HT server in the resource forest on the Default SMTP Virtual Server for Exchange 2003. Chris Pohlschneider Holloway Sportswear Network Administrator chris.pohlschnei...@hollowayusa.com 937-494-2559
RE: ActiveSync and Domain Admins
That did the trick. I don't disagree with all the comments concerning security concerns. I think I'll investigate alternatives and see if an old dog can learn new tricks... From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: June-17-10 11:11 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins I'm in the domain admins group, and I got my Windows Mobile to work after migrating to 2010 by going in and enabling inheritance on my user account in AD. The adminSDholder process will disable inheritance again but it appears that once you enable it and get AS working, it continues to work after inheritance is disabled again. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, June 17, 2010 9:00 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins And in Exchange 2010 sp1 it's much more accessible and usable. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Matt Moore [mailto:mattmoore...@hotmail.com] Sent: Thursday, June 17, 2010 9:54 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins RBAC is very, very cool and at the same time kinda like watching paint dry. Possibly the biggest leap forward for Exchange to date. All MS server side Apps will follow this model. Learn it, love it. Of course all my opinion. M From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, June 17, 2010 6:23 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins It's not a problem, per se. It's by design. ActiveSync won't work with accounts in any of the protected groups. In order to support RBAC, Exchange has to have permissions over much of the AD. Protected accounts/groups are explicitly restricted from Exchange having control over them. Otherwise, any Exchange admin could make themselves a domain admin, enterprise admin, backup operator, server operator, etc.etc. There is technical documentation on this change, but it isn't very accessible from a normal admin perspective (that is, ok you made that change - what does it mean to me). I bugged that last week. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 9:17 AM To: MS-Exchange Admin Issues Subject: ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem? ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
RE: ActiveSync and Domain Admins
You can. I am old and also in EDU. If I did it anyone can. :) From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 11:01 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins I think I'll investigate alternatives and see if an old dog can learn new tricks...
RE: ActiveSync and Domain Admins
It's a PITA as are most security related changes, but makes sense. From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 8:01 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins That did the trick. I don't disagree with all the comments concerning security concerns. I think I'll investigate alternatives and see if an old dog can learn new tricks... From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: June-17-10 11:11 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins I'm in the domain admins group, and I got my Windows Mobile to work after migrating to 2010 by going in and enabling inheritance on my user account in AD. The adminSDholder process will disable inheritance again but it appears that once you enable it and get AS working, it continues to work after inheritance is disabled again. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, June 17, 2010 9:00 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins And in Exchange 2010 sp1 it's much more accessible and usable. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Matt Moore [mailto:mattmoore...@hotmail.com] Sent: Thursday, June 17, 2010 9:54 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins RBAC is very, very cool and at the same time kinda like watching paint dry. Possibly the biggest leap forward for Exchange to date. All MS server side Apps will follow this model. Learn it, love it. Of course all my opinion. M From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, June 17, 2010 6:23 AM To: MS-Exchange Admin Issues Subject: RE: ActiveSync and Domain Admins It's not a problem, per se. It's by design. ActiveSync won't work with accounts in any of the protected groups. In order to support RBAC, Exchange has to have permissions over much of the AD. Protected accounts/groups are explicitly restricted from Exchange having control over them. Otherwise, any Exchange admin could make themselves a domain admin, enterprise admin, backup operator, server operator, etc.etc. There is technical documentation on this change, but it isn't very accessible from a normal admin perspective (that is, ok you made that change - what does it mean to me). I bugged that last week. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Steele [mailto:paul.ste...@acadiau.ca] Sent: Thursday, June 17, 2010 9:17 AM To: MS-Exchange Admin Issues Subject: ActiveSync and Domain Admins I noticed that my personal account did not work on my iPod with ActiveSync, but my test account worked ok. I did some checking and came across an article that said that ActiveSync does not work if the user is in the Domain Admins group. ExRCA fails as well with the error: ExRCA is attempting the FolderSync command on the Exchange ActiveSync session. The test of the FolderSync command failed. Additional Details Exchange ActiveSync returned an HTTP 500 response. Has anyone else encountered this problem? ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
IP Allow List a True Whitelist?
With an Exchange 2007 Edge server, is the IP allow list a true whitelist-as in, all mail from an IP address on that list will always be trusted, no matter what? We use Postini, and their servers' IP addresses are on our allow list. When we had Sender Reputation enabled, though, the Edge server would add Postini's servers to the block list if too much junk seemed to come from them-which of course would cause all of our inbound mail to stop coming. At least, that's what I remember happening when we tried it a year ago. That's why I turned off Sender Reputation on our edge server, as I recall, after we started using Postini. Or could I be remembering wrong? Should the IP allow list trump everything else, or can a machine be explicitly allowed and automatically blocked simultaneously? John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure.
Store brought down by a user today
This ever happen to anyone ... Had a user send a number of individual large emails (5MB+) to hundreds of people, then after sending each one, deleted his Sent folder, increasing his Deleted Items to 4GB. We were a bit lean with 8GB available to the store (file system), but we had 19GB of white space available. We lost all the space and had the store dismount. How would I stop this, other than throwing the offender off the roof :) Been quite the afternoon. Thx in advance
RE: Store brought down by a user today
Mailbox Quotas, active monitoring and proper amount of disk capacity for overhead is a good start.
Re: Store brought down by a user today
Quota was 75/125/200 This happened in 2 hours. Documented 19GB white space then. We will be implementing new storage in the next 6 weeks. On Thu, Jun 17, 2010 at 5:18 PM, Robinson, Chuck chuck.robin...@emc.comwrote: Mailbox Quotas, active monitoring and proper amount of disk capacity for overhead is a good start.
RE: Store brought down by a user today
I vote for the throwing them off the roof. However, a good monitoring solution would've alerted you to what is going on. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: sms adm [mailto:sms...@gmail.com] Sent: Thursday, June 17, 2010 5:12 PM To: MS-Exchange Admin Issues Subject: Store brought down by a user today This ever happen to anyone ... Had a user send a number of individual large emails (5MB+) to hundreds of people, then after sending each one, deleted his Sent folder, increasing his Deleted Items to 4GB. We were a bit lean with 8GB available to the store (file system), but we had 19GB of white space available. We lost all the space and had the store dismount. How would I stop this, other than throwing the offender off the roof :) Been quite the afternoon. Thx in advance
Re: Store brought down by a user today
Monitoring for sure before bad things happens, and take a look at the good side of the story, you have no white space now on that DB (-: Cheers, Ocd On 6/17/10, Robinson, Chuck chuck.robin...@emc.com wrote: Mailbox Quotas, active monitoring and proper amount of disk capacity for overhead is a good start. -- Sent from my mobile device Oz Casey Dedeal Systems Engineer MVP (exchange) MCITP (EMA), MCITP (EA), MCITP (SA), MCSE 2003| M+| S+ | MCDST | Security+|Project+| Server+| http://smtp25.blogspot.com (Blog) http://telnet25.wordpress.com (Blog) http://telnet25.spaces.live.com (Blog) telne...@gmail.com https://www.mcpvirtualbusinesscard.com/VBCServer/Odedeal/interactivecard
Re: Store brought down by a user today
The powers that be will need more incidents like this before they are convinced to pay for MOM ... unfortunately. Should the user have been able to grow their Deleted Items to that point without problem? Thx On Thu, Jun 17, 2010 at 5:35 PM, Michael B. Smith mich...@smithcons.comwrote: I vote for the “throwing them off the roof”. However, a good monitoring solution would’ve alerted you to what is going on. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com *From:* sms adm [mailto:sms...@gmail.com] *Sent:* Thursday, June 17, 2010 5:12 PM *To:* MS-Exchange Admin Issues *Subject:* Store brought down by a user today This ever happen to anyone ... Had a user send a number of individual large emails (5MB+) to hundreds of people, then after sending each one, deleted his Sent folder, increasing his Deleted Items to 4GB. We were a bit lean with 8GB available to the store (file system), but we had 19GB of white space available. We lost all the space and had the store dismount. How would I stop this, other than throwing the offender off the roof :) Been quite the afternoon. Thx in advance -- smsadm
Re: Store brought down by a user today
There are other monitoring applications that would not cost you anything. On Thu, Jun 17, 2010 at 4:47 PM, sms adm sms...@gmail.com wrote: The powers that be will need more incidents like this before they are convinced to pay for MOM ... unfortunately. Should the user have been able to grow their Deleted Items to that point without problem? Thx On Thu, Jun 17, 2010 at 5:35 PM, Michael B. Smith mich...@smithcons.comwrote: I vote for the “throwing them off the roof”. However, a good monitoring solution would’ve alerted you to what is going on. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com *From:* sms adm [mailto:sms...@gmail.com] *Sent:* Thursday, June 17, 2010 5:12 PM *To:* MS-Exchange Admin Issues *Subject:* Store brought down by a user today This ever happen to anyone ... Had a user send a number of individual large emails (5MB+) to hundreds of people, then after sending each one, deleted his Sent folder, increasing his Deleted Items to 4GB. We were a bit lean with 8GB available to the store (file system), but we had 19GB of white space available. We lost all the space and had the store dismount. How would I stop this, other than throwing the offender off the roof :) Been quite the afternoon. Thx in advance -- smsadm -- Sherry Abercrombie Any sufficiently advanced technology is indistinguishable from magic. Arthur C. Clarke
RE: Store brought down by a user today
should is an interesting question. I've had this discussion with the Exchange team before (because this isn't the first time I've seen this happen - probably the third time in 15 years). But in comparison to lots of other issues - it's rare. There are some changes and additional controls in this area in Exchange 2010 - but the reality is - nothing can completely protect you from stupid user tricks. And while MOM/OpsMgr has over 800 touch-points - there are others that could've helped you here. Nagios, WhatsUp, PolyMonetc. (Note: I can no longer recommend ServersAlive, despite having used it for OVER a decade, because it doesn't support Server 2008, much less Server 2008 R2.) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: sms adm [mailto:sms...@gmail.com] Sent: Thursday, June 17, 2010 5:48 PM To: MS-Exchange Admin Issues Subject: Re: Store brought down by a user today The powers that be will need more incidents like this before they are convinced to pay for MOM ... unfortunately. Should the user have been able to grow their Deleted Items to that point without problem? Thx On Thu, Jun 17, 2010 at 5:35 PM, Michael B. Smith mich...@smithcons.commailto:mich...@smithcons.com wrote: I vote for the throwing them off the roof. However, a good monitoring solution would've alerted you to what is going on. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: sms adm [mailto:sms...@gmail.commailto:sms...@gmail.com] Sent: Thursday, June 17, 2010 5:12 PM To: MS-Exchange Admin Issues Subject: Store brought down by a user today This ever happen to anyone ... Had a user send a number of individual large emails (5MB+) to hundreds of people, then after sending each one, deleted his Sent folder, increasing his Deleted Items to 4GB. We were a bit lean with 8GB available to the store (file system), but we had 19GB of white space available. We lost all the space and had the store dismount. How would I stop this, other than throwing the offender off the roof :) Been quite the afternoon. Thx in advance -- smsadm
Re: Store brought down by a user today
On Thu, Jun 17, 2010 at 15:21, Michael B. Smith mich...@smithcons.com wrote: snip (Note: I can no longer recommend ServersAlive, despite having used it for OVER a decade, because it doesn’t support Server 2008, much less Server 2008 R2.) Well that's not happy. I was thinking about upgrading, because I'm just not finding the time to put into nagios, but if that's the case, I may have to reconsider. Kurt
RE: Store brought down by a user today
For my clients that can't afford third party monitoring environments/tools, I'm using PolyMon. It works very well, and does 95% of what ServersAlive did for me. And it's free. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, June 17, 2010 6:38 PM To: MS-Exchange Admin Issues Subject: Re: Store brought down by a user today On Thu, Jun 17, 2010 at 15:21, Michael B. Smith mich...@smithcons.com wrote: snip (Note: I can no longer recommend ServersAlive, despite having used it for OVER a decade, because it doesn’t support Server 2008, much less Server 2008 R2.) Well that's not happy. I was thinking about upgrading, because I'm just not finding the time to put into nagios, but if that's the case, I may have to reconsider. Kurt
Re: Store brought down by a user today
I've never heard of PolyMon so thanks for the heads up, I'll check it out myself since free is good :) On Thu, Jun 17, 2010 at 3:45 PM, Michael B. Smith mich...@smithcons.comwrote: For my clients that can't afford third party monitoring environments/tools, I'm using PolyMon. It works very well, and does 95% of what ServersAlive did for me. And it's free. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, June 17, 2010 6:38 PM To: MS-Exchange Admin Issues Subject: Re: Store brought down by a user today On Thu, Jun 17, 2010 at 15:21, Michael B. Smith mich...@smithcons.com wrote: snip (Note: I can no longer recommend ServersAlive, despite having used it for OVER a decade, because it doesn’t support Server 2008, much less Server 2008 R2.) Well that's not happy. I was thinking about upgrading, because I'm just not finding the time to put into nagios, but if that's the case, I may have to reconsider. Kurt
Re: Store brought down by a user today
I'm curious, wouldn't mailbox limits with suitably low prohibit send thresholds have prevented this problem? Bill On Thu, Jun 17, 2010 at 4:17 PM, Eric seag...@gmail.com wrote: I've never heard of PolyMon so thanks for the heads up, I'll check it out myself since free is good :) On Thu, Jun 17, 2010 at 3:45 PM, Michael B. Smith mich...@smithcons.comwrote: For my clients that can't afford third party monitoring environments/tools, I'm using PolyMon. It works very well, and does 95% of what ServersAlive did for me. And it's free. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com http://theessentialexchange.com/ -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, June 17, 2010 6:38 PM To: MS-Exchange Admin Issues Subject: Re: Store brought down by a user today On Thu, Jun 17, 2010 at 15:21, Michael B. Smith mich...@smithcons.com wrote: snip (Note: I can no longer recommend ServersAlive, despite having used it for OVER a decade, because it doesn’t support Server 2008, much less Server 2008 R2.) Well that's not happy. I was thinking about upgrading, because I'm just not finding the time to put into nagios, but if that's the case, I may have to reconsider. Kurt
RE: Store brought down by a user today
I have used this product for years in many different companies i have worked for http://www.ks-soft.net/hostmon.eng/regmon.htm Jean-Paul Natola From: mich...@smithcons.com To: exchangelist@lyris.sunbelt-software.com Subject: RE: Store brought down by a user today Date: Thu, 17 Jun 2010 22:45:07 + For my clients that can't afford third party monitoring environments/tools, I'm using PolyMon. It works very well, and does 95% of what ServersAlive did for me. And it's free. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, June 17, 2010 6:38 PM To: MS-Exchange Admin Issues Subject: Re: Store brought down by a user today On Thu, Jun 17, 2010 at 15:21, Michael B. Smith wrote: (Note: I can no longer recommend ServersAlive, despite having used it for OVER a decade, because it doesn’t support Server 2008, much less Server 2008 R2.) Well that's not happy. I was thinking about upgrading, because I'm just not finding the time to put into nagios, but if that's the case, I may have to reconsider. Kurt _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccountocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
RE: Store brought down by a user today
If nothing else, a simple sAlive! setup to monitor disk space on data drives would alert you based on thresholds you set. Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: sms adm [mailto:sms...@gmail.com] Sent: Thursday, June 17, 2010 5:12 PM To: MS-Exchange Admin Issues Subject: Store brought down by a user today This ever happen to anyone ... Had a user send a number of individual large emails (5MB+) to hundreds of people, then after sending each one, deleted his Sent folder, increasing his Deleted Items to 4GB. We were a bit lean with 8GB available to the store (file system), but we had 19GB of white space available. We lost all the space and had the store dismount. How would I stop this, other than throwing the offender off the roof :) Been quite the afternoon. Thx in advance
RE: Store brought down by a user today
Damn, that's news to me ... I'll have to check that out Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Thursday, June 17, 2010 6:38 PM To: MS-Exchange Admin Issues Subject: Re: Store brought down by a user today On Thu, Jun 17, 2010 at 15:21, Michael B. Smith mich...@smithcons.com wrote: snip (Note: I can no longer recommend ServersAlive, despite having used it for OVER a decade, because it doesnt support Server 2008, much less Server 2008 R2.) Well that's not happy. I was thinking about upgrading, because I'm just not finding the time to put into nagios, but if that's the case, I may have to reconsider. Kurt
RE: Store brought down by a user today
No one mentioned Max Recipients yet? I limit emails to 50 recipients. It helps, on top of the other ideas. From: sms adm [mailto:sms...@gmail.com] Sent: Thursday, June 17, 2010 4:12 PM To: MS-Exchange Admin Issues Subject: Store brought down by a user today This ever happen to anyone ... Had a user send a number of individual large emails (5MB+) to hundreds of people, then after sending each one, deleted his Sent folder, increasing his Deleted Items to 4GB. We were a bit lean with 8GB available to the store (file system), but we had 19GB of white space available. We lost all the space and had the store dismount. How would I stop this, other than throwing the offender off the roof :) Been quite the afternoon. Thx in advance
Re: Store brought down by a user today
Hi sms, Now that the dust has hopefully settled and you (and we) are looking into the various suggestions for preventing this in future, I just wondered if you or someone at your organization has spoken to the user involved and asked them why they did what they did and if they realized that it was a bad thing to do and to try to ascertain whether it was in fact a deliberate act. I'd be interested to hear feedback about that if at all possible, no need to go into minute detail. Thanks in advance, Andrew On 18 June 2010 12:33, Sam Cayze sam.ca...@rollouts.com wrote: No one mentioned Max Recipients yet? I limit emails to 50 recipients. It helps, on top of the other ideas. *From:* sms adm [mailto:sms...@gmail.com] *Sent:* Thursday, June 17, 2010 4:12 PM *To:* MS-Exchange Admin Issues *Subject:* Store brought down by a user today This ever happen to anyone ... Had a user send a number of individual large emails (5MB+) to hundreds of people, then after sending each one, deleted his Sent folder, increasing his Deleted Items to 4GB. We were a bit lean with 8GB available to the store (file system), but we had 19GB of white space available. We lost all the space and had the store dismount. How would I stop this, other than throwing the offender off the roof :) Been quite the afternoon. Thx in advance -- Kind regards, Andrew Levicki MCITP:EDST7/EMA/EA,MCSE,MCSA,MCP,CCNA,ITIL
RE: Tracking Down Spam Source
So if I'm reading this correctly, the spammers used her creds to send email via OWA? Or is there another form of external email access you provide? -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Thursday, 17 June 2010 12:03 AM To: MS-Exchange Admin Issues Subject: RE: Tracking Down Spam Source Here's an update. Looking in the user's mailbox, I see that she received a phishing e-mail from activate.onl...@discuz.org. It's one of those messages that say that your e-mail account is about to be deactivated, and to please send your username and password in order to keep things working. I also see in her Sent Items folder that she replied to the message, graciously sending the requested information on Tuesday at around 10:00 AM Eastern. Around 6:00 PM Eastern, she started getting bounced messages by the boatload. Non-deliverable spam, sent under her name. So the good folks at discuz.org apparently made good use of the username and password she sent. Which brings up the question of, how do I combat this? User education is obvious--we've REPEATEDLY stressed to our users that they are not to send out their passwords via e-mail, and that we'll never request their passwords via e-mail. But beyond that, let's assume that users will be users and will occasionally do what they're told not to. What other layers of defense can we set up? -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Wednesday, June 16, 2010 9:54 AM To: MS-Exchange Admin Issues Subject: RE: Tracking Down Spam Source This is a possibility--and I'm open to all possibilities--but it seems unlikely that this originated from inside our network. The user whose account this came from only accesses the network internally from one machine, and that machine has been turned off for days. One of my techs called her this morning, and she said she had been accessing her mail via OWA from an outside machine. She also said she got some weird message about her password, and had to reenter it (I know that's vague). So I'm trying to determine if it's possible that from the outside, her account was compromised and an external spam system was able to route mail through our servers by using her username and password... -Original Message- From: Oz Casey Dedeal [mailto:telne...@gmail.com] Sent: Wednesday, June 16, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: Tracking Down Spam Source I would fire up sniffer (Wire Shark etc) or look at firewall logs to see who is generating the most traffic or eating up your bandwidth and start taking these clients off line, and deal with them. You might be dealing with workstation or kind has E-mail worm blasting it out? Also it is good to ask yourself why your server AV/ spam engine did not catch these and alerted you ( assuming you have decent AV/Spam protection as first defense of line and not letting postini do all the work for inbound and outbound SMTP traffic. ( If not you can ignore this part) Good luck Ocd On 6/16/10, Chris cmu...@gmail.com wrote: John, Do you have a firewall in place that you can log all smtp traffic? There is a chance that the spam email *might* not be going through the exchange server. Chris On Wed, Jun 16, 2010 at 7:44 AM, John Hornbuckle john.hornbuc...@taylor.k12.fl.us wrote: I’m ashamed to say that for the first time ever, spam has been generated from my network. All of our outbound mail is routed through Google / Postini, and they cut us off last night after detecting it. I’m mortified. What I’m needing help with is tracking down the source. I can see who the message claims to be from, and Postini tech support thinks her account really is the source (I assumed the “From:” address had been forged). But even if her account really is the source, I need to know what machine generated the traffic so that I can see what’s running on it. To be honest, I’m not sure how to do that. My weakness with Exchange is showing. I thought maybe the message tracking tool, which I’ve used to find some of the messages, but I can’t see the originating IP address in there. Some of the entries say “2002:96b0:25ac::96b0:25ac” for the ClientIP. I don’t know what that is. Any pointers? John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. -- Sent from my mobile device Oz Casey Dedeal Systems Engineer MVP (exchange) MCITP (EMA), MCITP (EA), MCITP (SA), MCSE 2003| M+| S+ | MCDST | Security+|Project+| Server+| http://smtp25.blogspot.com (Blog) http://telnet25.wordpress.com (Blog) http://telnet25.spaces.live.com (Blog)