Exchange Patch Blows Hole in BlackBerrys!
This letter from a reader was so well-done, I figured I'd run it verbatim rather
than making it worse by rewriting:
"I am an IT manager working for a medium-size law firm in downtown Seattle,
Wash. This last weekend, I installed several new patches on our servers and
was quite surprised to find Microsoft's Exchange Server DST patch broke our
BlackBerrys. Perhaps you could make others aware of this issue?
Exchange DST patch 926666, released Feb. 13, 2007, bundles two previous
patches, 912918 and 907434,
apparently because all make modifications to Exchange's store.exe file. However,
I had deliberately not installed the 907434 patch because it breaks the ability
for BlackBerrys to send e-mail, due to the removal of the Send As permission.
After spending all day on the phone with Cingular and RIM, and coming to
no resolution, RIM finally said I would need to contact Microsoft for a resolution.
At the behest of our president (currently outside the office and very unhappy),
I instead began removing patches that I had installed over the weekend, until
the issue was resolved at approximately 12:30 this morning.
As stated above, patch 926666, 'Update for daylight saving time changes in
2007 for Exchange 2003 Service Pack 2,' was the culprit, and once removed,
allowed our BlackBerrys to send e-mails again.
According to RIM, the resolution should have been to give BESadmin (our internal
BlackBerry Exchange Server administration account) rights to Send As for non-administrator-permission
users (e.g., domain users) in Active Directory. However, each time I did this,
within an hour the permissions were automatically removed. Per Microsoft's
knowledge base article on the 907434
patch, this is expected behavior and their resolution is as follows:
If you do this, you must prevent the AdminSDHolder from overwriting
permissions that are granted to a BlackBerry Services account on protected
groups. To do this, use the following command line with DSACLS:
/G BlackBerrySA:CA;Send As"
Note: In this command, BlackBerrySA is a placeholder for
the name of the BlackBerry Service account. Also, make sure that you do
not add a space between BlackBerrySA and ":CA".
Alternatively, we recommend that you do not use accounts that are members
of protected groups for e-mail purposes. If you must have the rights that
are given to a protected group, we recommend that you have two Active Directory
user accounts. These Active Directory accounts include one user account
that is added to a protected group, and one user account that is used for
e-mail purposes and at all other times.
I haven't attempted the above repair as of yet, due to time constraints,
but I would be interested if you knew whether it would resolve the issue or
were aware of another resolution.
Do you have another solution for Rann's problem? Let us know at [email protected].
Service Account Manager Boosted by Lieberman
Lieberman Software, a mainstay in the Windows marketplace, has a new
rev of Service Account Manager. The software, as its name indicates, automates
the management of Windows services.
Version 5.04 of the tool "allows Windows administrators to change service
dependencies and set service security permissions and auditing settings, providing
greater oversight and control of users' activities and access to services,"
the company said.
Obese, Online-Obsessed and Dead
Sometimes, when a person dies, some good comes of it -- lessons learned, the
world made better. In the case of a 330-pound Chinese man who played video games
for a week straight, and
then keeled over, the lesson is simple: If you weigh 330 pounds, don't play
video games for a week straight!
Doug's Mailbag: Going Google's Way?, More
So Google is preparing
to offer its own Web-based software suite to rival Office. At $50 a year,
is it a worthwhile investment? Here's what some readers had to say:
I think it's brilliant. My hope is that Google takes applications to
a whole new level. I want a Web-based desktop where I access all of my applications.
If I need a new application, I will check a box, give my credit card information
and it will appear on my Web-based desktop. No software distribution, no piracy,
no conflicts with other applications and nothing to install on my local machine.
It's just there, ready to go.
My computer will only have memory, USB ports, a monitor and enough hard
drive space for the few apps that will need to run local. All other files
will be stored at Google where they have the proper the environment, maintenance
and procedures to ensure my data is readily available, backed up and secure.
This model also gives me the greatest portability. From any computer in the
world with Internet access, I can access my data and my applications. In a
pinch, I can even access everything via my browser-based cell phone.
Does this model work for corporate America? For a lot of managers and
admins, it will. People that use custom-built applications will need computers
that are more robust than the Internet appliances described above. From a
support standpoint, if the majority of my users just need an Internet appliance
where all of their applications are administered by someone else, I could
see my support costs going down. This model also makes collaboration easier
to implement and people are in control of their own space.
As for whether this model would work for home users, absolutely! Short
of gamers and people that use nonstandard applications, this model would take
care of everyone's computing needs. The biggest catch is that you become very
dependent on the speed and availability of your Internet connection. Not all
areas have the ability to provide what would be necessary.
Doug, you need to try and remove your personal hangups with Microsoft
(some of which are no doubt valid) from your commentary. It makes you sound
a bit adolescent at times and detracts from what could otherwise become a
valid counterweight to Microsoft propaganda.
Just because Jimmy Jones handed out free Kool-Aid in Jonestown, didn't
mean everyone had to drink it! And just because Google says it has products
that do away with the need for Microsoft software and that are essentially
"free" ($50 a year), doesn't mean critical thinkers have to buy
the hype, hook, line and sinker! Any company that pays its employees real
money would be crazy to buy into a "must be connected" model --
is Google going to reimburse you the cost of your payroll, lost productivity
and possibly lost sales if network connectivity or software crashes cause
hosted apps to go dark for a while? I could at least respect you pushing OpenOffice
apps as a counterweight to Microsoft, but really, hosted apps are "equivalent"
to Microsoft Office? I don't think so.
Sure, the statistical likelihood of a 50-person organization losing its
T-1 for a day, or a 500-person organization losing its T-3 for a day may be
very small. But if you happen to be the IT manager, director, VP, etc., who
pushed for this approach when the grim statistical reaper pointed his bony
finger at your organization, wouldn't you feel rather dumb (not to mention
exposed) when that T-1/T-3 went down due to a broken water main above your
building's telephone room? The world of IT, as any kind of "engineering"
career, is driven by some modicum of planning for the "what if something
bad happened?" We can't cover all circumstances but we sure had better
cover the obvious ones!
It's indeed cathartic for the less successful to turn up our noses at
the billionaires of the world, but all those doing so vis-a-vis hosted apps
need to be serious and admit if they've really deleted all Office-like local
software from their PCs, laptops, etc. And if they haven't, isn't it a bit
pretentious to trumpet the death of "fat apps" when one is keeping
fat apps (free or licensed) in one's back pocket for that rainy day?
It sounds nice from the shareholders' viewpoint, but I'd have to take
a for not going this route yet, as far as an IT staff member or management
viewpoint. Google has a lot to prove and once you are locked in at $50 bucks
a year, where can you go but up? I know from doing consultant work for large
companies like State Farm and Athena that a lot of corporations are still
using versions of Office that are not supported by Microsoft just because
of the sheer numbers of clients and the level of productivity they expect
their workers to meet so they can also make their shareholders happy. Throw
in an entirely new Office package with limited features and Google's unreachable
support department, and that productivity goes out the Windows.
For at least one reader, Microsoft's refusal
to authorize lower-end versions of Vista to run on Macs is just a sign of
It appears at the very least that Microsoft is inferring that Vista has
enough holes that even a Mac will suffer for running the thing. Just as well
it's in a "safe" (virtual) environment so it can be whacked at will
before permitting too much real harm (if any). Shame on MS that the "security
enhancements" it appears to state are available to businesses are not
conferred on mere plebs at home. Big Business has a voice and wads of money
-- sad that 'we' don’t matter. "Let them eat cake," I hear
-- or is it "Let them catch a virus or Trojan"?
A decent Mac with OpenOffice is appearing far more attractive by the
service pack for Exchange 2007 is due next moonth -- but Eric already foresees
a possible catch:
The missing part of the Exchange 2007 SP1 article is whether they will
upgrade the management tool to run on Vista. We have had to roll back plans
for upgrading to Vista because too many management tools won't run on it.
Microsoft's answer is especially lame: RDP is the cure-all. So much for thinking
And finally, one reader chimes in with his own concerns about licensing:
I was troubled years ago by the idea that your computer software was
a "license" and not some sort of purchase. Without an operating
system, a computer is not much more than a pile of junk. (Just look at how
much you have to pay to get a dead one thrown away.) I cannot imagine anyone
buying a typewriter with a manufacturer's license to use it, but we have been
doing that with computers for over 25 years. That means we operate our businesses
somewhat at the courtesy of the software vendors. The only scarier prospect
is that we might rent the use of software online and store our vital data
on someone else's hard drive. Where is the security in that, and how can we
prove damages if they accidentally lose our data? I don't know exactly where
these business models came from, but I suspect there won't be much objection
to "small" changes in the license agreements. Not many people read
them anyway. We all seem to think, "That's just the way it works."
Let me know what you think! Comment below or drop me a line at [email protected].