Barney's Blog

Blog archive

Exchange Patch Blows Hole in BlackBerrys!

This letter from a reader was so well-done, I figured I'd run it verbatim rather than making it worse by rewriting:

"I am an IT manager working for a medium-size law firm in downtown Seattle, Wash. This last weekend, I installed several new patches on our servers and was quite surprised to find Microsoft's Exchange Server DST patch broke our BlackBerrys. Perhaps you could make others aware of this issue?

Microsoft Exchange DST patch 926666, released Feb. 13, 2007, bundles two previous patches, 912918 and 907434, apparently because all make modifications to Exchange's store.exe file. However, I had deliberately not installed the 907434 patch because it breaks the ability for BlackBerrys to send e-mail, due to the removal of the Send As permission.

After spending all day on the phone with Cingular and RIM, and coming to no resolution, RIM finally said I would need to contact Microsoft for a resolution. At the behest of our president (currently outside the office and very unhappy), I instead began removing patches that I had installed over the weekend, until the issue was resolved at approximately 12:30 this morning.

As stated above, patch 926666, 'Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2,' was the culprit, and once removed, allowed our BlackBerrys to send e-mails again.

According to RIM, the resolution should have been to give BESadmin (our internal BlackBerry Exchange Server administration account) rights to Send As for non-administrator-permission users (e.g., domain users) in Active Directory. However, each time I did this, within an hour the permissions were automatically removed. Per Microsoft's knowledge base article on the 907434 patch, this is expected behavior and their resolution is as follows:

If you do this, you must prevent the AdminSDHolder from overwriting permissions that are granted to a BlackBerry Services account on protected groups. To do this, use the following command line with DSACLS:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G BlackBerrySA:CA;Send As"

Note: In this command, BlackBerrySA is a placeholder for the name of the BlackBerry Service account. Also, make sure that you do not add a space between BlackBerrySA and ":CA".

Alternatively, we recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.

I haven't attempted the above repair as of yet, due to time constraints, but I would be interested if you knew whether it would resolve the issue or were aware of another resolution.

Do you have another solution for Rann's problem? Let us know at [email protected].

Posted by Doug Barney on March 05, 2007