If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.
Activesync Working But Only For Some Users On Exchange 2007 / 2010
Published on
133,788 Points
There are some issues with ActiveSync for both Exchange 2007 and Exchange 2010 users whereby some users can connect their Mobile Devices (Windows Mobile Phones / iPhones / Motorola Droid etc) quite happily and ActiveSync pushes mail to the devices, but other users cannot connect and cannot sync anything at all.
There appear to be plenty of potential solutions for this problem around if you search the web, but the solution to the majority of these problems can be solved quite simply.
If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
Once the box is ticked, you should then be able to connect up your Mobile Device to your Exchange Server and receive your mail like the rest of your users.
This particular problem seems to only affect migrated users and not users that were setup on the server post migration.
You may also find that if you use an account that has Admin privileges, and you Check the ‘Include Inheritable Permissions From This Object’s Parent’ check box, that it works for a while, and then stops working again about an hour or so later.
The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.
Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.
The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators
The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt
There appear to be plenty of potential solutions for this problem around if you search the web, but the solution to the majority of these problems can be solved quite simply.
If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
Once the box is ticked, you should then be able to connect up your Mobile Device to your Exchange Server and receive your mail like the rest of your users.
This particular problem seems to only affect migrated users and not users that were setup on the server post migration.
You may also find that if you use an account that has Admin privileges, and you Check the ‘Include Inheritable Permissions From This Object’s Parent’ check box, that it works for a while, and then stops working again about an hour or so later.
The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.
Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.
The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators
The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt
-
11
4
2- +26
43 Comments
Excellent article alanhardisty,
I particularly like the mention of best practice when it comes to administrative user accounts.
Well done. You have my vote.
demazter
I particularly like the mention of best practice when it comes to administrative user accounts.
Well done. You have my vote.
demazter
We have just completed a migration from SBS2003 to Exchange2010 and had problems with HTTP500 errors when testing from the testexchangeconnectivity.c
Thanks
Thanks
Hello,
What if it's a user in AD that has the inherited permissions box checked. What do you suggest at this
point? The user is trying to use active sync on an AT&T Samsung Jack i637. The error in the Event Viewer is 1053 in Exhange 2010.
Thanks
What if it's a user in AD that has the inherited permissions box checked. What do you suggest at this
point? The user is trying to use active sync on an AT&T Samsung Jack i637. The error in the Event Viewer is 1053 in Exhange 2010.
Thanks
one additional step to perform -
Using ADSIEDIT.MSC don't forget to change "adminCount" to either 0 (zero) or to <not set>
According to numerous articles I've found, not resetting that value may cause the inherit rights to still change on the next cycle.
Using ADSIEDIT.MSC don't forget to change "adminCount" to either 0 (zero) or to <not set>
According to numerous articles I've found, not resetting that value may cause the inherit rights to still change on the next cycle.
We had conirmed that 'Allowed inheritable permssion ....' is ticked but we're still having this issue
1. .Tthis is what we got this error log from the Smartphone's (Using 3rd party Touchdown)
-----
Checking Certificate...
Checking ActiveSync with SSL...
Server is Microsoft-IIS/6.0
ActiveSync was found
ActiveSync Version :Versions:Microsoft-IIS/6.
Trying activesync protocol 25...
ActiveSync provisioning returns HTTP:403
Error provisioning ActiveSync: Policy status is 0
Trying activesync protocol 2.5...
ActiveSync provisioning returns HTTP:400
Error provisioning ActiveSync: Policy status is 0
Connection to http://server1.mycompany.com refused:Exception performing request
ActiveSync version check returned negative, but still trying for 12.1
Checking 2007 with SSL...
Error renewing subscription: Refresh folder list and try again.
Connection to http://server1.mycompany.com refused for operation: Subscribe-> Error renewing a subscriptionChecking 2003 with SSL...
-------
2.Setting up with just the Email client bundled with the SmartPhone, this is the error we got.
***** Setup could not finish ---- This server requires security features your phone does not support
This is the whole issue: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26859832.html?cid=239#a35022987
1. .Tthis is what we got this error log from the Smartphone's (Using 3rd party Touchdown)
-----
Checking Certificate...
Checking ActiveSync with SSL...
Server is Microsoft-IIS/6.0
ActiveSync was found
ActiveSync Version :Versions:Microsoft-IIS/6.
Trying activesync protocol 25...
ActiveSync provisioning returns HTTP:403
Error provisioning ActiveSync: Policy status is 0
Trying activesync protocol 2.5...
ActiveSync provisioning returns HTTP:400
Error provisioning ActiveSync: Policy status is 0
Connection to http://server1.mycompany.com refused:Exception performing request
ActiveSync version check returned negative, but still trying for 12.1
Checking 2007 with SSL...
Error renewing subscription: Refresh folder list and try again.
Connection to http://server1.mycompany.com refused for operation: Subscribe-> Error renewing a subscriptionChecking 2003 with SSL...
-------
2.Setting up with just the Email client bundled with the SmartPhone, this is the error we got.
***** Setup could not finish ---- This server requires security features your phone does not support
This is the whole issue: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26859832.html?cid=239#a35022987
Thanks guys, I worked on this all day before finding this article, and not being all that familar with Ex2010 I was a little perplexed.
Would I need to do this for all users with Iphone or other mobiles devices? I'm just starting my testing phase so i need to factor this into the project plan..
Would I need to do this for all users with Iphone or other mobiles devices? I'm just starting my testing phase so i need to factor this into the project plan..
Active today
Hi jvwiv,
This issue usually only affects migrated users, so if you migrate the lot - you should check ALL the accounts to make sure the inherited permission is checked.
You could happily ignore users without Mobile Devices, but you might have a user you don't check now and then when they get a mobile device, you might not remember to check the setting, so it is probably best to make sure that they are all checked in the first place.
Alan
This issue usually only affects migrated users, so if you migrate the lot - you should check ALL the accounts to make sure the inherited permission is checked.
You could happily ignore users without Mobile Devices, but you might have a user you don't check now and then when they get a mobile device, you might not remember to check the setting, so it is probably best to make sure that they are all checked in the first place.
Alan
Many thanks for this article...it saved me a bunch of time. Good job. You get a "gold star" for today from a city boy down in S. Louisiana. I appreciate it.
Thank you for posting the article - but, what if activesync is off for everyone even if they are checked. how do I restart that activesync service? Sorry, a neophyte to exchange 2010. The primary guy is out and this fell on me.
Active today
This is not an appropriate place to start asking technical questions - if you need to resolve an issue - please post a question.
Alan
Alan
Active today
:) - If it worked for you - please vote for the article. All votes greatly appreciated.
Thanks
Alan
Thanks
Alan
It did not wpork for me as some users on some mailboxe servers can use EAS while som eon some other mailboxes could not. The error using testexchangeconnectivity is
:An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
Testing of the OPTIONS command failed. For more information, see Additional Details.
Additional Details
A Web exception occurred because an HTTP 451 - 451 response was received from Unknown.
:An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
Testing of the OPTIONS command failed. For more information, see Additional Details.
Additional Details
A Web exception occurred because an HTTP 451 - 451 response was received from Unknown.
How many mailbox servers are there? How many CAS servers?
What version of Exchange?
Single site or multiple sites?
What version of Exchange?
Single site or multiple sites?
Active today
@Reslos - If you have an issue technically - please raise a question and get the Experts to help you (include a link here too if you like). An Article isn't the place to start pulling apart your configuration and fixing your problems.
Thanks
Alan
Thanks
Alan
As always Alan, thanks for this. I just completed a swing migration from SBS 2003 - SBS 2011 and some users where having problems such as this. This saved me a huge headache that was delveoping since this past monday!
Dusty
Dusty
That's the goal. I had the problem on one user account
And just this User i used to test ActiveSync...;-)
Thanks for your help.
Walter
And just this User i used to test ActiveSync...;-)
Thanks for your help.
Walter
What if the check box ‘Include Inheritable Permissions From This Object’s Parent’ is already checked? can i uncheck it, copy the perms, and the recheck it????
Active today
Yes - just uncheck the box, copy the perms, re-check the box, apply the perms and then hit the default button.
Alan
Alan
Hi Alan
unchecked, copied and rechecked. i still cannot sync this mailbox with a phone.......any other ideas???
unchecked, copied and rechecked. i still cannot sync this mailbox with a phone.......any other ideas???
Active today
Is it just the one phone that won't work?
Have you tried other accounts on the same phone and the same account on another phone?
What phone is it?
What does https://testexchangeconnectivity.com show as the results (Activesync Test) for the account?
If you need to troubleshoot the problem, please open up a question and post a link here (in case I miss it).
Thanks
Alan
Have you tried other accounts on the same phone and the same account on another phone?
What phone is it?
What does https://testexchangeconnectivity.com show as the results (Activesync Test) for the account?
If you need to troubleshoot the problem, please open up a question and post a link here (in case I miss it).
Thanks
Alan
Thanks! One user didn't have the have the permissions propagating corretly after a migration to SBS 2011 from SBS 2003.
Just wanted to say thanks on this! I thought it was my iPhone, strange that my wife's android phone sync up to my account with out this option checked.
Thanks!
Thanks!
Featured Post
Administration of Active Directory does not have to be hard. Too often what should be a simple task is made more difficult than it needs to be.The solution? Hyena from SystemTools Software. With ease-of-use as well as powerful importing and bulk updating capabilities.
Join & Write a Comment Already a member? Login.
Suggested Articles
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Please check the video also in regards to recovery of deleted emails from office 365 admin center and through the MFCMAPI tool.
I have mentioned each and every step with the proper steps that need to be taken care of.
