New Exchange fixes may disrupt Blackberry, Goodlink and other services

I apologize for the length of the article! But I'm glad it's informative... :)

SAM: The article mentions that granting Send-As permissions for multiple accounts (either applied to a container or all AD objects) is not the preferred method.

MIKE: It's not a horrible method, except that it may capture objects you didn't intend, or miss objects that get moved. It's easy, years later, to forget that user X in container Y needs special treatment if ever moved to another container.

SAM:  So if we use the Blackberry application as an example, would the preferred method be to...when we add a new Exchange/Blackberry user, we grant Send-As permission in the same manner.

MIKE: Currently, it is what I would recommend. At some point, I believe RIM will have an update to correclty provision users, but I don't have details on an ETA for that. You can somewhat automate this by periodically running the script in the KB article to catch new users or as part of your normal provisioning. RIM also has a script.

Again, if you don't want to do this, managing this by inheritance isn't a bad thing--you just need to remember that's the way you're managing it.

SAM: For domain administrators that are also Blackberry users, we remove these users from the domain admin group. To perform tasks that require domain administrator security, these users would either log in with an account that has domain admin privileges, or use the RunAs command to accomplish same.

MIKE: As a general best practice, you really shouldn't have someone reading their email or surfing random web sites while logged on as domain admin. What if an administrator's curiosity about that purported new Anna Kournikova pic gets the better of him for a second? I know this is inconvenient. But ignoring this best practice isn't just less than optimal, it's close to reckless. I don't want to be a scold, but this is scold-worthy.