This letter from a reader was so well-done, I figured I'd run it verbatim rather
than making it worse by rewriting:
"I am an IT manager working for a medium-size law firm in downtown Seattle,
Wash. This last weekend, I installed several new patches on our servers and
was quite surprised to find Microsoft's Exchange Server DST patch broke our
BlackBerrys. Perhaps you could make others aware of this issue?
Microsoft
Exchange DST patch 926666, released Feb. 13, 2007, bundles two previous
patches, 912918 and 907434,
apparently because all make modifications to Exchange's store.exe file. However,
I had deliberately not installed the 907434 patch because it breaks the ability
for BlackBerrys to send e-mail, due to the removal of the Send As permission.
After spending all day on the phone with Cingular and RIM, and coming to
no resolution, RIM finally said I would need to contact Microsoft for a resolution.
At the behest of our president (currently outside the office and very unhappy),
I instead began removing patches that I had installed over the weekend, until
the issue was resolved at approximately 12:30 this morning.
As stated above, patch 926666, 'Update for daylight saving time changes in
2007 for Exchange 2003 Service Pack 2,' was the culprit, and once removed,
allowed our BlackBerrys to send e-mails again.
According to RIM, the resolution should have been to give BESadmin (our internal
BlackBerry Exchange Server administration account) rights to Send As for non-administrator-permission
users (e.g., domain users) in Active Directory. However, each time I did this,
within an hour the permissions were automatically removed. Per Microsoft's
knowledge base article on the 907434
patch, this is expected behavior and their resolution is as follows:
If you do this, you must prevent the AdminSDHolder from overwriting
permissions that are granted to a BlackBerry Services account on protected
groups. To do this, use the following command line with DSACLS:
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com"
/G BlackBerrySA:CA;Send As"
Note: In this command, BlackBerrySA is a placeholder for
the name of the BlackBerry Service account. Also, make sure that you do
not add a space between BlackBerrySA and ":CA".
Alternatively, we recommend that you do not use accounts that are members
of protected groups for e-mail purposes. If you must have the rights that
are given to a protected group, we recommend that you have two Active Directory
user accounts. These Active Directory accounts include one user account
that is added to a protected group, and one user account that is used for
e-mail purposes and at all other times.
I haven't attempted the above repair as of yet, due to time constraints,
but I would be interested if you knew whether it would resolve the issue or
were aware of another resolution.
-Rann"