1

In order to get mobile email syncing to work in our Exchange 2010 / Server 2008R2 we have to go to the users account in AD, go to properties, security, advanced and select the top object which is an Exchange Servers permission with 'create msExchActiveSyncDevices o...' and the delete version of that in it.

Then on that object we tick 'include inheritable permissions from this objects parent'.

I will admit I don't have enough background knowledge of how this works, but we're experiencing an issue where this gets unticked randomly for some users, and they are then unable to sync their email.

Does this get revoked somehow if the user does something? Or does anyone know anything else about why it would be unticking itself? We have the latest updates installed for Exchange and Windows

RodH257
  • 569
  • 6
  • 11
  • 23
  • What are you using for your moble email sync? Exchanges bulit in feautures or a third party product? I'm not sure why it should get unticked, but this is not something you should need to do to get mobile email sync to work and I would suggest there is something wrong with your permissions if this is the case. – Sam Cogan Oct 24 '10 at 22:44
  • yeah just exchange built in synchronization, no 3rd party tools – RodH257 Oct 25 '10 at 01:02

1 Answers1

3

I think the real question you should be asking is why you have to apply these AD permissions in the first place. You shouldn't need to do anything to get ActiveSync going, it just works™.

What are you experiencing when your users try to sync with ActiveSync? Any specific error messages might be useful.

Some background on why this is happening

I am willing to bet the users are in (or have been in) a privileged group such as Domain Admins or Enterprise Admins (or have been copied from a user in a privileged group).

This is a security feature built into Active Directory to prevent users with delegated access to higher privileged accounts from removing administrative permissions from them (accidentally or otherwise).

If you look in ADSI Edit on the affected users, you'll probably find a property called adminCount which is set to 1. If the users are not in any privileged groups, you should be able to set this property to 0 and make permissions inherit, and they should stick. If the user is still in a privileged group, the adminCount flag will be reset every hour along with any permissions you may have set.

From memory, the privileged groups are Enterprise Admins, Domain Admins and Account Operators (though there may be a few more).

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
  • On iPhone and editing is a pain. Full list of privileged groups and a bit of a better explanation (if you care) here: http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/05/29/49659.aspx – Ben Pilbrow Oct 24 '10 at 23:07
  • +1 -- You're speaking of [the AdminSDHolder object](http://support.microsoft.com/kb/232199). This can cause snags when using [the AD protected groups](http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx), as you mention. – jscott Oct 24 '10 at 23:48
  • Indeed I am. I have first hand experience of this screwing up BlackBerry permissions and it's a nightmare. We had 1 user in the Account Operators group for a while who was then taken out of it. Years later and several new hires later (copied from this user) and we issue BlackBerry's to a load of people and some have mysterious problems all relating back to their permissions being reset by the AdminSDHolder thread because they were copied from a user who was once in a privileged group. It still gives me the heeby jeebys thinking about it. – Ben Pilbrow Oct 25 '10 at 00:26
  • Thanks guys, you are correct, this particular user was a domain admin (and probably should still be but I think the permissions have been dropped). I had a look at bens link, and had a look into editing the adminsdholder properties, but it would appear that it already has those specific exchange permissions set. I'm a bit out of my depth here, so I'm a bit cautious to change too much that I don't know about. What would you suggest be my next option? should I try that MS KB article? – RodH257 Oct 25 '10 at 01:08
  • If that user isn't likely to be put back in a privileged group, you can use ADSI Edit to change the adminCount property on their account to 0 (be careful with ADSI Edit - it won't stop you from doing something stupid). Then tick the inherit permissions box and it should stay ticked. Not sure about Exchange 2010, but in 2003 you had to either bounce the Exchange Information Store or wait a few hours for Exchange to pick it up. In any case, you shouldn't have to mess with AD permissions to get activesync working, so I think something else is fundamentally wrong with your setup. – Ben Pilbrow Oct 25 '10 at 01:33
  • @RodH257 - please see my edit regarding trying to fix the real problem. – Ben Pilbrow Oct 25 '10 at 18:10