There are some issues with ActiveSync for both Exchange 2007 and Exchange 2010 users whereby some users can connect their Mobile Devices (Windows Mobile Phones / iPhones / Motorola Droid etc) quite happily and ActiveSync pushes mail to the devices, but other users cannot connect and cannot sync anything at all.
There appear to be plenty of potential solutions for this problem around if you search the web, but the solution to the majority of these problems can be solved quite simply.
If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
Once the box is ticked, you should then be able to connect up your Mobile Device to your Exchange Server and receive your mail like the rest of your users.
This particular problem seems to only affect migrated users and not users that were setup on the server post migration.
You may also find that if you use an account that has Admin privileges, and you Check the ‘Include Inheritable Permissions From This Object’s Parent’ check box, that it works for a while, and then stops working again about an hour or so later.
The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.
Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.
The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators
The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt
The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.
We have just completed a migration from SBS2003 to Exchange2010 and had problems with HTTP500 errors when testing from the testexchangeconnectivity.com site. The above sorted it for us.
Thanks
What if it's a user in AD that has the inherited permissions box checked. What do you suggest at this
point? The user is trying to use active sync on an AT&T Samsung Jack i637. The error in the Event Viewer is 1053 in Exhange 2010.
We had conirmed that 'Allowed inheritable permssion ....' is ticked but we're still having this issue
1. .Tthis is what we got this error log from the Smartphone's (Using 3rd party Touchdown)
-----
Checking Certificate...
Checking ActiveSync with SSL...
Server is Microsoft-IIS/6.0
ActiveSync was found
ActiveSync Version :Versions:Microsoft-IIS/6.0,1.0,2.0,2.1,2.5
Trying activesync protocol 25...
ActiveSync provisioning returns HTTP:403
Error provisioning ActiveSync: Policy status is 0
Trying activesync protocol 2.5...
ActiveSync provisioning returns HTTP:400
Error provisioning ActiveSync: Policy status is 0
Connection to http://server1.mycompany.com refused:Exception performing request
ActiveSync version check returned negative, but still trying for 12.1
Checking 2007 with SSL...
Error renewing subscription: Refresh folder list and try again.
Connection to http://server1.mycompany.com refused for operation: Subscribe-> Error renewing a subscriptionChecking 2003 with SSL...
-------
2.Setting up with just the Email client bundled with the SmartPhone, this is the error we got.
***** Setup could not finish ---- This server requires security features your phone does not support
Thanks guys, I worked on this all day before finding this article, and not being all that familar with Ex2010 I was a little perplexed.
Would I need to do this for all users with Iphone or other mobiles devices? I'm just starting my testing phase so i need to factor this into the project plan..
This issue usually only affects migrated users, so if you migrate the lot - you should check ALL the accounts to make sure the inherited permission is checked.
You could happily ignore users without Mobile Devices, but you might have a user you don't check now and then when they get a mobile device, you might not remember to check the setting, so it is probably best to make sure that they are all checked in the first place.
Many thanks for this article...it saved me a bunch of time. Good job. You get a "gold star" for today from a city boy down in S. Louisiana. I appreciate it.
Thank you for posting the article - but, what if activesync is off for everyone even if they are checked. how do I restart that activesync service? Sorry, a neophyte to exchange 2010. The primary guy is out and this fell on me.
It did not wpork for me as some users on some mailboxe servers can use EAS while som eon some other mailboxes could not. The error using testexchangeconnectivity is
:An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Test Steps
Attempting to send the OPTIONS command to the server.
Testing of the OPTIONS command failed. For more information, see Additional Details.
Additional Details
A Web exception occurred because an HTTP 451 - 451 response was received from Unknown.
@Reslos - If you have an issue technically - please raise a question and get the Experts to help you (include a link here too if you like). An Article isn't the place to start pulling apart your configuration and fixing your problems.
As always Alan, thanks for this. I just completed a swing migration from SBS 2003 - SBS 2011 and some users where having problems such as this. This saved me a huge headache that was delveoping since this past monday!
What if the check box ‘Include Inheritable Permissions From This Object’s Parent’ is already checked? can i uncheck it, copy the perms, and the recheck it????
Just wanted to say thanks on this! I thought it was my iPhone, strange that my wife's android phone sync up to my account with out this option checked.
Check How effective MS Exchange Expert thinks Exchange Mailbox Recovery by SysTools IS.
Visit the Official site to get detailed information:- https://www.systoolsgroup.com/exchange-recovery.html (https://www.systoolsgroup.com/exchange-recovery.h…