Home > Exchange > Exchange ActiveSync insufficient permissions

Exchange ActiveSync insufficient permissions

I couldn’t connect via ActiveSync on my account. I’ve checked events on CAS server and I found:

 

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Zilinec Ondrej – testovaci TS uzivatel,OU=TESTUSERS,OU=UZIVATELIA,OU=XXX,DC=XXX,DC=in,DC=XXX,DC=XX” container under Active Directory user “Active Directory operation failed on DCB1.XXX. This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

“.

Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchActiveSyncDevices” and doesn’t have any deny permissions that block such operations.

Details:%3

 

This is known error for ActiveSync and accounts with admin rights. To solve this issue, you need do following steps:

  • Open the Active Directory Users and Computers and go to “View” and select “Advanced Features
  • After that, find the user who is not able to use the ActiveSync, and double-click him, and go to “Security” tab then click “Advanced”
  • Then just check the ckeck-box “Include inheritable permissions from this object’s parent” and click OK to close all windows

After this steps everything works perfect.

This perfect state will be for just a one hour. There is special security engine to protect accounts in special (more powerfull) groups. More info:

UPDATE: This issue was solved by Service Pack 3 for Exchange 2010.

  1. No comments yet.
  1. No trackbacks yet.