Barney's Blog

Blog archive

Exchange Patch Blows Hole in BlackBerrys!

This letter from a reader was so well-done, I figured I'd run it verbatim rather than making it worse by rewriting:

"I am an IT manager working for a medium-size law firm in downtown Seattle, Wash. This last weekend, I installed several new patches on our servers and was quite surprised to find Microsoft's Exchange Server DST patch broke our BlackBerrys. Perhaps you could make others aware of this issue?

Microsoft Exchange DST patch 926666, released Feb. 13, 2007, bundles two previous patches, 912918 and 907434, apparently because all make modifications to Exchange's store.exe file. However, I had deliberately not installed the 907434 patch because it breaks the ability for BlackBerrys to send e-mail, due to the removal of the Send As permission.

After spending all day on the phone with Cingular and RIM, and coming to no resolution, RIM finally said I would need to contact Microsoft for a resolution. At the behest of our president (currently outside the office and very unhappy), I instead began removing patches that I had installed over the weekend, until the issue was resolved at approximately 12:30 this morning.

As stated above, patch 926666, 'Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2,' was the culprit, and once removed, allowed our BlackBerrys to send e-mails again.

According to RIM, the resolution should have been to give BESadmin (our internal BlackBerry Exchange Server administration account) rights to Send As for non-administrator-permission users (e.g., domain users) in Active Directory. However, each time I did this, within an hour the permissions were automatically removed. Per Microsoft's knowledge base article on the 907434 patch, this is expected behavior and their resolution is as follows:

If you do this, you must prevent the AdminSDHolder from overwriting permissions that are granted to a BlackBerry Services account on protected groups. To do this, use the following command line with DSACLS:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G BlackBerrySA:CA;Send As"

Note: In this command, BlackBerrySA is a placeholder for the name of the BlackBerry Service account. Also, make sure that you do not add a space between BlackBerrySA and ":CA".

Alternatively, we recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.

I haven't attempted the above repair as of yet, due to time constraints, but I would be interested if you knew whether it would resolve the issue or were aware of another resolution.

Do you have another solution for Rann's problem? Let us know at [email protected].

Posted by Doug Barney on March 05, 2007 at 11:52 AM


  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Version 20H2 of Windows 10 and Windows Server Released

    The October 2020 updates of Windows 10 and Windows Server, also known as version 20H2, were released by Microsoft on Tuesday.

  • Phishing Attacks Impersonate Microsoft's Brand the Most

    Security solutions firm Check Point this week gave Microsoft the dubious distinction of being the "most imitated" company used for phishing attacks.

  • Remote Work To Drive Higher Cloud, IT Services Spending in 2021

    Global tech spending has taken a hit in 2020 due to the COVID-19 pandemic, but analysts expect it to rebound next year.