Security groups being removed


Hi,

I'm running Blackberry Enterprise Server 4.1 on an SBS 2003 (Windows Server
2003/SP1) box with 10 Blackberry user licenses. I got a call from a user who
reported that when he tried to send from his BB he got a red x and the
message "Desktop mail unable to submit message." I researched this and found
several references to missing Send As permissions. I looked and discovered
that half my BB users had BESAdmin listed under their Security Tabs in AD
Users/Computers, and these users could send, but five users, including the
complaining user, did not have BESAdmin listed under their Security Tabs in
AD Users/Computers. Turned out that none of those five users could send
messages. I added BESAdmin with Send As to all five users' Security Tabs,
stopped the BES services, restarted the Exchange Information Store, restared
BES, and all five could then send again.

However the next time I looked--about an hour later--BESAdmin was gone from
the AD Security Tab of all five {although they continue to be able to send).

The five users who did have BESAdmin listed under their AD Security Tabs
continue to have BESAdmin listed, and I noticed that their BESAdmin Send As
permissions are inherited.

Why does BESAdmin keep disappearing from the AD Security Tab of the other
five? How can I make the missing five users' Security permissions look like
the permissions of the "good" five?

All five problem users were members of the Domain Admin group. Pursuant to a
suggestion from a member of a BB users' forum, I removed Domain Admin from
their Security Tabs and manually added BESAdmin. When I checked a half-hour
later, Domain Admin had been readded and BESAdmin removed.

Is Active Directory removing/restoring these entries? How do I stop this
from happening?

Thanks in advance for any help/insight.

GaryK




.