Thursday, December 31, 2009

Exchange 2010 ActiveSync Issue

During last month we had four Exchange 2010 installation.On all of them we had problems when trying to sync mobile devices. The problem was encountered only with old accounts. When we created a new account for testing purposes, it was working fine. In Application Log I found the following record:

Log Name: Application
Source: MSExchange ActiveSync
Date: 12/22/2009 3:02:13 PM
Event ID: 1053
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=,OU=,DC=,DC=local" container under Active Directory user "Active Directory operation failed on . This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

At the beginning the resolution looks simple because you cand find the answer in the description of the error on Application log. All you have to do is to reset permission inheritance for that user. The steps are:

- Open Active Directory Users and Computers management console;
- Enable Advanced Features from View Tab;
- Right click the user (s) and select Properties and after that Security;
- Click Advanced
- Make sure that the “Include inheritable permissions from this object’s parent” is checked and click OK, Apply, etc.

This works for most of the users, but not for users that are members of built-in privileged Active Directory groups. If you have such an account and you reset the permission inheritance you will notice that in up to one hour, the inheritance is gone again. To understand how this work and how you can solve the problem use this link

No comments:

Post a Comment