Blackberry Switch Service Account

I recently had to pay for incident support to get my BES 4.1.6 SP7 back up and running and talking to my company’s 8 or 9 blackberry handhelds. Here are the steps I took:
1. Determine service account error by checking BES Log file

  • c:Program FilesResearch in MotionLogsSERVERNAME_MAGT_01_DATE_0001.txt
  • Saw error 5302

2. Export RIM registry key

  • regedit
  • HKCUSoftwareResearch in Motion  Export key

3. Create new Blackberry Admin user account in AD “BESAdmin”
4. AD > DOMAIN.local properties > Security tab

  • Add new user account “BESAdmin”
  • set “Send As” permission
  • verify inheritance to bbery user accounts
  • force if neccessary (advanced security settings for individual user accounts > Allow inheritable permissions CHECKED)

5. Exchange System Manager set Delegate Control

  • right click top level and Delegate Control
  • Add new user account “BESAdmin” as “Exchange View Only Administrator”
  • First Administrative Group > Right Click Properties > Security Tab > Change BESAdmin to add “Administer Information Store” , “Receive As” , & “Send As”

6. Local Security Settings (of blackberry server)

  • Local Policies > User Rights Assignments
  • add BESAdmin account to “Allow Log on Locally” and “Log on as a service”

7. Set new BESAdmin account as local administrator to BES server

  • Computer Management > Users and Groups > Administrator Group
  • Add domainBESAdmin

8. Log on as new account BESAdmin
9. Services.msc > Change “Log on As” to new BESAdmin for all Blackberry services (minus BB Attachment service – that stays as “Local System”)
10. Import HKCU RIM key exported in Step 2
11. Recreate MAPI profile (may need bbery services started to do this…)

  • open “Blackberry Service Configuration”
  • Server tab > Edit Mapi
  • Enter information of Exchange Server, and new BESAdmin account
  • Apply > OK > OK
  • open “Blackberry Manager” and create MAPI profile again using same settings

12. Start BB services or restart server.  Verify handheld communication with server.