Looked at an issue a colleague had today where the SendAs permissions for a user were being removed automatically from a their account causing issues with their PA not being able to send email as they had configured it. The problem here was that the user in question was in one of the protected AdminSDHolder groups and Active Directory will reset the Send As permissions for members of these groups on an hourly basis.
As well as the ability for another user to Send-As the user in question this can also have implications if you run Blackberry Enterprise Server as the BES Service Account needs Send-As permissions to forward email from a handset to another recipient.
Microsoft have released a KB article on this (907434) which details the situation further but basically the solution should be to remove the user from the groups and if they need to perform the actions granted by the AdminSDHolder groups then they should be given a second “admin” account to perform these tasks.
The list of groups that are affected by the AdminSDHolder changes are:
- Administrators
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Domain Admins
- Schema Admins
- Enterprise Admins
- Cert Publishers