We have been doing some work for a customer around creating new mailbox databases and moving users around into these new databases.

After moving a number of users we began getting calls from them to say their Blackberry’s had stopped syncing. I had a look around and found the following Blackberry article:


This describes that if you create a new mailbox database you need to ensure the blackberry service account has the following permissions of the mailbox database itself:

Administer information Store
Receive As
View information store status

To check what the other mailbox dbs had I ran:

Get-Mailboxdatabase -identity “*MailboxDatabase*” | Get-ADPermission | where-object { ($_.extendedrights -like “*receive*” -or $_.extendedrights -like “*ms-E xch-Store-Visible*” -or $_.extendedrights -like “*ms-Exch-Store-ad*”) -and ($_.User -like “*BESadmin*”) } | select Identity, User, ExtendedRights, IsInherited | ft –wrap

And sure enough it showed:

You can also check in ADSI Edit too:

Configuration > Services > Microsoft Exchange > FQDN > Administrative Groups > Exchange Administrative Group (F…) > Databases > Properties on the DBs > Security.

So to add the required permission I ran:

Get-MailboxDatabase -identity “NewMailboxDatabase” | Add-ADPermission -User “BESAdmin” -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin, ms-Exch-Store-Visible

After that the service books were resent to the affected user’s devices and all started syncing again.


Hope it helps!