Exchange Patch Blows Hole in BlackBerrys!

• By Doug Barney
• 03/05/2007

"I am an IT manager working for a medium-size law firm in downtown Seattle, Wash. This last weekend, I installed several new patches on our servers and was quite surprised to find Microsoft's Exchange Server DST patch broke our BlackBerrys. Perhaps you could make others aware of this issue?

Microsoft Exchange DST patch 926666, released Feb. 13, 2007, bundles two previous patches, 912918 and 907434, apparently because all make modifications to Exchange's store.exe file. However, I had deliberately not installed the 907434 patch because it breaks the ability for BlackBerrys to send e-mail, due to the removal of the Send As permission.

After spending all day on the phone with Cingular and RIM, and coming to no resolution, RIM finally said I would need to contact Microsoft for a resolution. At the behest of our president (currently outside the office and very unhappy), I instead began removing patches that I had installed over the weekend, until the issue was resolved at approximately 12:30 this morning.

As stated above, patch 926666, 'Update for daylight saving time changes in 2007 for Exchange 2003 Service Pack 2,' was the culprit, and once removed, allowed our BlackBerrys to send e-mails again.

According to RIM, the resolution should have been to give BESadmin (our internal BlackBerry Exchange Server administration account) rights to Send As for non-administrator-permission users (e.g., domain users) in Active Directory. However, each time I did this, within an hour the permissions were automatically removed. Per Microsoft's knowledge base article on the 907434 patch, this is expected behavior and their resolution is as follows:

If you do this, you must prevent the AdminSDHolder from overwriting permissions that are granted to a BlackBerry Services account on protected groups. To do this, use the following command line with DSACLS:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G BlackBerrySA:CA;Send As"

Note: In this command, BlackBerrySA is a placeholder for the name of the BlackBerry Service account. Also, make sure that you do not add a space between BlackBerrySA and ":CA".

Alternatively, we recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you must have the rights that are given to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group, and one user account that is used for e-mail purposes and at all other times.

I haven't attempted the above repair as of yet, due to time constraints, but I would be interested if you knew whether it would resolve the issue or were aware of another resolution.
-Rann"

Do you have another solution for Rann's problem? Let us know at [email protected].

Service Account Manager Boosted by Lieberman
Lieberman Software, a mainstay in the Windows marketplace, has a new rev of Service Account Manager. The software, as its name indicates, automates the management of Windows services.

Version 5.04 of the tool "allows Windows administrators to change service dependencies and set service security permissions and auditing settings, providing greater oversight and control of users' activities and access to services," the company said.

Obese, Online-Obsessed and Dead
Sometimes, when a person dies, some good comes of it -- lessons learned, the world made better. In the case of a 330-pound Chinese man who played video games for a week straight, and then keeled over, the lesson is simple: If you weigh 330 pounds, don't play video games for a week straight!

Doug's Mailbag: Going Google's Way?, More
So Google is preparing to offer its own Web-based software suite to rival Office. At $50 a year, is it a worthwhile investment? Here's what some readers had to say:

I think it's brilliant. My hope is that Google takes applications to a whole new level. I want a Web-based desktop where I access all of my applications. If I need a new application, I will check a box, give my credit card information and it will appear on my Web-based desktop. No software distribution, no piracy, no conflicts with other applications and nothing to install on my local machine. It's just there, ready to go.

My computer will only have memory, USB ports, a monitor and enough hard drive space for the few apps that will need to run local. All other files will be stored at Google where they have the proper the environment, maintenance and procedures to ensure my data is readily available, backed up and secure. This model also gives me the greatest portability. From any computer in the world with Internet access, I can access my data and my applications. In a pinch, I can even access everything via my browser-based cell phone.

Does this model work for corporate America? For a lot of managers and admins, it will. People that use custom-built applications will need computers that are more robust than the Internet appliances described above. From a support standpoint, if the majority of my users just need an Internet appliance where all of their applications are administered by someone else, I could see my support costs going down. This model also makes collaboration easier to implement and people are in control of their own space.

As for whether this model would work for home users, absolutely! Short of gamers and people that use nonstandard applications, this model would take care of everyone's computing needs. The biggest catch is that you become very dependent on the speed and availability of your Internet connection. Not all areas have the ability to provide what would be necessary.
-John

Doug, you need to try and remove your personal hangups with Microsoft (some of which are no doubt valid) from your commentary. It makes you sound a bit adolescent at times and detracts from what could otherwise become a valid counterweight to Microsoft propaganda.

Just because Jimmy Jones handed out free Kool-Aid in Jonestown, didn't mean everyone had to drink it! And just because Google says it has products that do away with the need for Microsoft software and that are essentially "free" ($50 a year), doesn't mean critical thinkers have to buy the hype, hook, line and sinker! Any company that pays its employees real money would be crazy to buy into a "must be connected" model -- is Google going to reimburse you the cost of your payroll, lost productivity and possibly lost sales if network connectivity or software crashes cause hosted apps to go dark for a while? I could at least respect you pushing OpenOffice apps as a counterweight to Microsoft, but really, hosted apps are "equivalent" to Microsoft Office? I don't think so.

Sure, the statistical likelihood of a 50-person organization losing its T-1 for a day, or a 500-person organization losing its T-3 for a day may be very small. But if you happen to be the IT manager, director, VP, etc., who pushed for this approach when the grim statistical reaper pointed his bony finger at your organization, wouldn't you feel rather dumb (not to mention exposed) when that T-1/T-3 went down due to a broken water main above your building's telephone room? The world of IT, as any kind of "engineering" career, is driven by some modicum of planning for the "what if something bad happened?" We can't cover all circumstances but we sure had better cover the obvious ones!

It's indeed cathartic for the less successful to turn up our noses at the billionaires of the world, but all those doing so vis-a-vis hosted apps need to be serious and admit if they've really deleted all Office-like local software from their PCs, laptops, etc. And if they haven't, isn't it a bit pretentious to trumpet the death of "fat apps" when one is keeping fat apps (free or licensed) in one's back pocket for that rainy day?
-Chris

It sounds nice from the shareholders' viewpoint, but I'd have to take a for not going this route yet, as far as an IT staff member or management viewpoint. Google has a lot to prove and once you are locked in at $50 bucks a year, where can you go but up? I know from doing consultant work for large companies like State Farm and Athena that a lot of corporations are still using versions of Office that are not supported by Microsoft just because of the sheer numbers of clients and the level of productivity they expect their workers to meet so they can also make their shareholders happy. Throw in an entirely new Office package with limited features and Google's unreachable support department, and that productivity goes out the Windows.
-Steve

For at least one reader, Microsoft's refusal to authorize lower-end versions of Vista to run on Macs is just a sign of Microsoft's hubris:

It appears at the very least that Microsoft is inferring that Vista has enough holes that even a Mac will suffer for running the thing. Just as well it's in a "safe" (virtual) environment so it can be whacked at will before permitting too much real harm (if any). Shame on MS that the "security enhancements" it appears to state are available to businesses are not conferred on mere plebs at home. Big Business has a voice and wads of money -- sad that 'we' don’t matter. "Let them eat cake," I hear -- or is it "Let them catch a virus or Trojan"?

A decent Mac with OpenOffice is appearing far more attractive by the week.
-Stephen

The first service pack for Exchange 2007 is due next moonth -- but Eric already foresees a possible catch:

The missing part of the Exchange 2007 SP1 article is whether they will upgrade the management tool to run on Vista. We have had to roll back plans for upgrading to Vista because too many management tools won't run on it. Microsoft's answer is especially lame: RDP is the cure-all. So much for thinking security.
-Eric

And finally, one reader chimes in with his own concerns about licensing:

I was troubled years ago by the idea that your computer software was a "license" and not some sort of purchase. Without an operating system, a computer is not much more than a pile of junk. (Just look at how much you have to pay to get a dead one thrown away.) I cannot imagine anyone buying a typewriter with a manufacturer's license to use it, but we have been doing that with computers for over 25 years. That means we operate our businesses somewhat at the courtesy of the software vendors. The only scarier prospect is that we might rent the use of software online and store our vital data on someone else's hard drive. Where is the security in that, and how can we prove damages if they accidentally lose our data? I don't know exactly where these business models came from, but I suspect there won't be much objection to "small" changes in the license agreements. Not many people read them anyway. We all seem to think, "That's just the way it works."
-John

Let me know what you think! Comment below or drop me a line at [email protected].