Exchange 2010 & Installing BES – The unsolvable riddle


Over the last few days I've had the pleasure (2… 3… noot) of installing Blackberry Enterprise Server on our new (6 months old) Exchange 2010 setup at work. Setting up the permissions using the Exchange Command Shell lead me to a problem that drove me absolutely insane. When applying Send-As permissions using the exchange command shell commands that RIM themselves have in their documentation, i hit a brick wall.

image Problem

When running the command below you bring your installation to halt. The command is meant to set up your BesAdmin user (the user you created as part of your installation) to be able to send email as any user in your domain. This in turn allows it to route mail properly.

The instructions to run this command are listed on the RIM site here. This is the command:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents 
-ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3>"

The error message you get when you fill in the blanks is:

Active Directory operation failed on [domain controller]. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0     + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException     + FullyQualifiedErrorId : E256CB97,Microsoft.Exchange.Management.RecipientTasks.AddADPermission


The command above may bring your installation to halt and lead you down some path thinking you’ve got a permissions error. I mean it does say


This sounds like a permissions error, yeah?

Well it’s not.

I spent a considerable amount of time trying to solve The permission error. I tried running the exchange console by right clicking it and running as admin – among about 10 other things i tried. Then i looked to other things.

The command is meant to be filled with the account details you created for use by the Blackberry Enterprise Server services. You’re meant to fill it with the OU details for your user, but the RIM documentation is not clear about this – all they tell you in the instructions is to enter your domain details in a fill in the blanks kind of way. This is misleading.

i.e. if your domain is mydomain.local and you followed the RIM documentation, the command would become:


Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=mydomain,DC=local”

What is wrong with this instruction is that it doesn’t emphasise that you need to get the exact AD address for the user you created (in the example, and in my usage this is BESAdmin).

We need to fix this command so that it maps to the exact location of your user by getting the users OU address – lets do that and try the command again.

Find your users’ OU address

Open Active Directory Users & Computers

In the Menu bar up the top, open View and the select Advanced Features


Now browse to your BESAdmin user, and open the users properties by double clicking


Now select the tab named Attribute Editor

Scroll through the list until you get to distinguishedName and double click it to view its properties


I have blacked out my works full domain, but you can see the problem straight away – the OU for the user is not:


it is:


So what we need to do is enter this into the command like so:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=BESAdmin, CN=Users,DC=mydomain,DC=local”

Run this bad buoy and you should be home and hosed


Wooohoooo – relief much?