IT Admin Tip: No More Seeing Red: How to Stop Message Failures
Have you ever seen a Red X when sending an email message from your BlackBerry® smartphone, or had a BlackBerry smartphone user complain about this? The associated error message that goes along with that Red X reads: “Desktop email program failed to submit message” or “unlisted message error.” Either of these error messages suggests you have a 'Send As' permission problem. This article helps to explain the reasons why that might happen and how to provide for smoother email sending.
Appropriate permissions are key
As you know, for corporate BlackBerry smartphone users to send an email message from their BlackBerry smartphones, the BlackBerry® Enterprise Server service accounts require the 'Send As' permission to be granted. Yet even with that permission granted, you might still encounter a 'Send As' issue. To discover why this may be happening, you first want to look at how the permissions and Microsoft® Active Directory® work together.
In order for the BlackBerry Enterprise Server to complete all its tasks, the BlackBerry Enterprise Server Administration account or BlackBerry service account must have the appropriate permissions. One of the permissions required is 'Send As' within Microsoft Active Directory. This is set at the domain level and should filter down to (or inherit to) the individual BlackBerry smartphone users.
While most of you probably know how Microsoft Active Directory inheritance works, it's helpful to review the basics to clarify the role that inheritance plays. Think of Microsoft Active Directory like a waterfall for permissions, with every drop of water (permission) starting at the source of the waterfall (domain level) flowing to the bottom (user accounts or Microsoft Active Directory containers) unless something interrupts that flow. Each BlackBerry smartphone user that does not inherit this permission will not be able to send email messages. In the screenshot below, the area marked in red is the domain level.
Now let's look at the acronyms and Microsoft Active Directory objects we should be concerned with when trying to avoid seeing that Red X.
The AdminSDHolder (seen in the screenshot below) is a Microsoft Active Directory container with a specific set of permissions assigned to it. AdminSDHolder exists within the System container in Microsoft Active Directory. The screenshot below shows you the permissions associated with this object when you select it.
As you can see, within Microsoft Active Directory, there are several "protected groups" with special permissions, including:
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Domain Admins
- Schema Admins
- Enterprise Admins
- Cert Publishers
Once a BlackBerry smartphone user has been added to one of these groups, they will have the “adminCount” changed from null to 1. The “adminCount” is a Microsoft Active Directory attribute that will have a value of 0/null or 1. The following is a screenshot of this value taken with ADSIEDIT.
What does this value tell you? A process called SDProp (security descriptor propagator) runs once every hour and has two different roles which can affect permission settings. It will modify the adminCount if the BlackBerry smartphone user is a member of a protected group (changes it to 1), and it will also apply a specific set of permissions to any user object that has an adminCount of 1. If you look back to the screenshot of the AdminSDHolder, you will see that there is a very specific set of permissions and inheritance is disabled. The permissions associated with AdminSDHolder will overwrite the permissions associated with any BlackBerry smartphone user account with an adminCount of 1 every time SDProp runs.
When you set the 'Send As' permission at the domain level, the permission setting should inherit to all BlackBerry smartphone users. If the BlackBerry smartphone user is a member of any protected group, SDProp will run, inheritance will be disabled (since it is disabled on AdminSDHolder), and the BlackBerry Enterprise Server will no longer be able to send email messages to or from that BlackBerry smartphone user account. You can also run into difficulty if the container within which your BlackBerry smartphone users are located does not have inheritance enabled.
Software Support: Send as Issue