Access denied when running Add-ADPermission for besadmin

[guest]

Trying to run the following command, keep getting access denied. Any ideas? The user account I'm running it from has all the correct AD permissions.
[PS] C:\Windows\system32>Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As
-User "BESAdmin" -Identity "CN=Users,DC=Domainname,DC=NET"
Active Directory operation failed on DomainControllerName. This error is not retriable. Additional information: Access
is denied.
Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : FE21B8F7,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

[guest]

This is the commands I ran recently at a client for BES 5.0.1 and Exchange 2010

Add-RoleGroupMember "View-Only Organization Management" -Member "BESAdmin"


Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight –ExtendedRights Receive-As, ms-Exch-Store-Admin

[guest]

Please understand that the Identity parameter specifies the identity of the object that's getting permissions added. You can specify either the distinguished name (DN) of the object or the object's name if it's unique. If the DN or name contains spaces, enclose the name in quotation marks (").

Add-ADPermission
http://technet.microsoft.com/en-us/libr ... 24403.aspx

[guest]

RIM Tech Support pointed me to a knowledge base article at http://www.blackberry.com/btsc/KB21225, which is relevant to this issue. Basically the article says the problem is due to the somewhat magical way that Add-ADPermission works. Not only does the user account under which the command is executed need sufficient permissions to modify permissions on an Acitve Directory object, but so does the Exchange Servers security group, and it doesn't have them by default.
The KB article suggests granting full control of all Active Directory objects to the Exchange Servers group. This seems excessive, so I would like to ask what is the minimum set of permissions that could be granted to the Exchange Servers group at the level of the Users container to make the command work? For example, would it be sufficient to grant "Modify Permssions" for "Descendant User Objects"?
Presumably this would have to be done manually with ADUnC. For that matter what about using ADUnC to give the BESAdmin user "Send As" permssions on "Descendant User Objects"? Then we would be done with it, and wouldn't have to use the Add-ADPermission command anyway?

[guest]

in that link Blackberry offers an alternative for running that powershell command
1. Open Active Directory Users and Computers.
2. Select the View menu and ensure Advanced Features is checked.
3. Right-click the Domain Name or Organizational Unit where Send As permissions are needed and select Properties.
4. Click the Security tab.
5. Click Advanced at the bottom on the Security tab.
6. Select Add and enter your Blackberry Service Account name (for example, BESadmin) and select OK.
7. When the permissions screen appears, change Apply onto: to User Objects (or Descendant User Objects on Microsoft Windows Server 2008).
8. In the permissions box, scroll down and check the Allow box beside Send As and press OK.
9. Press Apply and OK to exit.
it worked for me...