Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Activesync Working But Only For Some Users On Exchange 2007 / 2010

Alan HardistyCo-Owner
There are some issues with ActiveSync for both Exchange 2007 and Exchange 2010 users whereby some users can connect their Mobile Devices (Windows Mobile Phones / iPhones / Motorola Droid etc) quite happily and ActiveSync pushes mail to the devices, but other users cannot connect and cannot sync anything at all.

There appear to be plenty of potential solutions for this problem around if you search the web, but the solution to the majority of these problems can be solved quite simply.

If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.

Once the box is ticked, you should then be able to connect up your Mobile Device to your Exchange Server and receive your mail like the rest of your users.

This particular problem seems to only affect migrated users and not users that were setup on the server post migration.
You may also find that if you use an account that has Admin privileges, and you Check the ‘Include Inheritable Permissions From This Object’s Parent’ check box, that it works for a while, and then stops working again about an hour or so later.

The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.

Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.

The built in groups that are affected with Windows 2008 are:
Account Operators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Schema Admins
Server Operators

The built in users that are affected with Windows 2008 are:
Alan HardistyCo-Owner

Comments (43)

Thanks!  One user didn't have the have the permissions propagating corretly after a migration to SBS 2011 from SBS 2003.
Alan HardistyCo-Owner
Top Expert 2011


You were lucky it was just the one user!!


Just wanted to say thanks on this! I thought it was my iPhone, strange that my wife's android phone sync up to my account with out this option checked.

Albert WidjajaIT Professional

This is awesomely cool article !

Doesn't work

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.