<

Activesync Working But Only For Some Users On Exchange 2007 / 2010

Published on
133,533 Points
58,133 Views
64 Endorsements
Last Modified:
Awarded
Community Pick
There are some issues with ActiveSync for both Exchange 2007 and Exchange 2010 users whereby some users can connect their Mobile Devices (Windows Mobile Phones / iPhones / Motorola Droid etc) quite happily and ActiveSync pushes mail to the devices, but other users cannot connect and cannot sync anything at all.

There appear to be plenty of potential solutions for this problem around if you search the web, but the solution to the majority of these problems can be solved quite simply.

If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.

Once the box is ticked, you should then be able to connect up your Mobile Device to your Exchange Server and receive your mail like the rest of your users.

This particular problem seems to only affect migrated users and not users that were setup on the server post migration.
You may also find that if you use an account that has Admin privileges, and you Check the ‘Include Inheritable Permissions From This Object’s Parent’ check box, that it works for a while, and then stops working again about an hour or so later.

The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.

Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.

The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators

The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt
64
Comment
43 Comments
LVL 74

Expert Comment

by:Glen Knight
Excellent article alanhardisty,

I particularly like the mention of best practice when it comes to administrative user accounts.

Well done.  You have my vote.

demazter
0
LVL 8

Expert Comment

by:firojkhan
Excellent you Dig the issue very nice article .
0
LVL 15

Expert Comment

by:Greg Besso
Yep, worked for me also.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Expert Comment

by:ImexTechnical
We have just completed a migration from SBS2003 to Exchange2010 and had problems with HTTP500 errors when testing from the testexchangeconnectivity.com site. The above sorted it for us.
Thanks
0
LVL 2

Expert Comment

by:OnlineSupport
you are genius, you restored my reputation, excellent article
0

Expert Comment

by:tekuhne
Worked like a charm!   Thanks!
0
LVL 76

Author Comment

by:Alan Hardisty
Thanks for the plus vote : )
0

Expert Comment

by:dariuszs
Hello,

What if it's a user in AD that has the inherited permissions box checked.  What do you suggest at this
point?  The user is trying to use active sync on an AT&T Samsung Jack i637.  The error in the Event Viewer is 1053 in Exhange 2010.

Thanks
0

Expert Comment

by:dougclingman
one additional step to perform -

Using ADSIEDIT.MSC don't forget to change "adminCount" to either 0 (zero) or to <not set>

According to numerous articles I've found, not resetting that value may cause the inherit rights to still change on the next cycle.
0

Expert Comment

by:Lfuragganan
We had conirmed that 'Allowed inheritable permssion ....' is ticked but we're still having this issue

1. .Tthis is what we got this error log from the Smartphone's (Using 3rd party Touchdown)
-----
Checking Certificate...
Checking ActiveSync with SSL...
Server is Microsoft-IIS/6.0
ActiveSync was found
ActiveSync Version :Versions:Microsoft-IIS/6.0,1.0,2.0,2.1,2.5
Trying activesync protocol 25...
ActiveSync provisioning returns HTTP:403
Error provisioning ActiveSync: Policy status is 0
Trying activesync protocol 2.5...
ActiveSync provisioning returns HTTP:400
Error provisioning ActiveSync: Policy status is 0
Connection to http://server1.mycompany.com refused:Exception performing request
ActiveSync version check returned negative, but still trying for 12.1
Checking 2007 with SSL...
Error renewing subscription: Refresh folder list and try again.
Connection to http://server1.mycompany.com refused for operation: Subscribe-> Error renewing a subscriptionChecking 2003 with SSL...
-------

2.Setting up with just the Email client bundled with the SmartPhone, this is the error we got.

 ***** Setup could not finish ---- This server requires security features your phone does not support

This is the whole issue: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26859832.html?cid=239#a35022987 
0

Expert Comment

by:tervis
Excellent article! Bravo for well written technical documnetation. Thank you!
0
LVL 76

Author Comment

by:Alan Hardisty
Thanks - great feedback is always appreciated.

Alan
0
LVL 46

Expert Comment

by:Amit
Excellent article.
0
LVL 76

Author Comment

by:Alan Hardisty
Thank you - much appreciated (as well as the vote) ;)

Alan
0

Expert Comment

by:jvwiv
Thanks guys, I worked on this all day before finding this article, and not being all that familar with Ex2010 I was a little perplexed.

Would I need to do this for all users with Iphone or other mobiles devices? I'm just starting my testing phase so i need to factor this into the project plan..
0
LVL 76

Author Comment

by:Alan Hardisty
Hi jvwiv,

This issue usually only affects migrated users, so if you migrate the lot - you should check ALL the accounts to make sure the inherited permission is checked.

You could happily ignore users without Mobile Devices, but you might have a user you don't check now and then when they get a mobile device, you might not remember to check the setting, so it is probably best to make sure that they are all checked in the first place.

Alan
0

Expert Comment

by:infosys3
Many thanks for this article...it saved me a bunch of time.  Good job.  You get a "gold star" for today from a city boy down in S. Louisiana.  I appreciate it.  
0

Expert Comment

by:jtwhw
Thank you for posting the article - but, what if activesync is off for everyone even if they are checked.  how do I restart that activesync service?  Sorry, a neophyte to exchange 2010.  The primary guy is out and this fell on me.
0
LVL 76

Author Comment

by:Alan Hardisty
This is not an appropriate place to start asking technical questions - if you need to resolve an issue - please post a question.

Alan
0

Expert Comment

by:safeharbor
Great article. Fixed it for me!
0
LVL 76

Author Comment

by:Alan Hardisty
:) - If it worked for you - please vote for the article.  All votes greatly appreciated.

Thanks

Alan
0

Expert Comment

by:chulamin2
This worked for me as well. Thanks!
0

Expert Comment

by:Reslos
It did not wpork for me as some users on some mailboxe servers can use EAS while som eon some other mailboxes could not.  The error using testexchangeconnectivity is
:An ActiveSync session is being attempted with the server.
  Errors were encountered while testing the Exchange ActiveSync session.
   Test Steps
   Attempting to send the OPTIONS command to the server.
  Testing of the OPTIONS command failed. For more information, see Additional Details.
   Additional Details
  A Web exception occurred because an HTTP 451 - 451 response was received from Unknown.
 
 
 
0
LVL 74

Expert Comment

by:Glen Knight
How many mailbox servers are there? How many CAS servers?

What version of Exchange?

Single site or multiple sites?
0
LVL 76

Author Comment

by:Alan Hardisty
@Reslos - If you have an issue technically - please raise a question and get the Experts to help you (include a link here too if you like).  An Article isn't the place to start pulling apart your configuration and fixing your problems.

Thanks

Alan
0

Expert Comment

by:Microsmiths
@alanhardisty - thanks for this, you made my weekend get a lot better
0
LVL 76

Author Comment

by:Alan Hardisty
:) - Glad it was helpful and don't forget to vote for it too (please).
0
LVL 9

Expert Comment

by:meko72
As always Alan, thanks for this. I just completed a swing migration from SBS 2003 - SBS 2011 and some users where having problems such as this. This saved me a huge headache that was delveoping since this past monday!

 Dusty
0

Expert Comment

by:ExuHop
That's the goal. I had the problem on one user account

And just this User i used to test ActiveSync...;-)

Thanks for your help.

Walter
0
LVL 1

Expert Comment

by:rajkiggal
Excellent article, issues were fixed.
0

Expert Comment

by:jtsokanis
works for me.
0

Expert Comment

by:TTAF4
What if the check box ‘Include Inheritable Permissions From This Object’s Parent’ is already checked? can i uncheck it, copy the perms, and the recheck it????
0
LVL 76

Author Comment

by:Alan Hardisty
Yes - just uncheck the box, copy the perms, re-check the box, apply the perms and then hit the default button.

Alan
0

Expert Comment

by:TTAF4
Hi Alan

unchecked, copied and rechecked. i still cannot sync this mailbox with a phone.......any other ideas???
0
LVL 76

Author Comment

by:Alan Hardisty
Is it just the one phone that won't work?

Have you tried other accounts on the same phone and the same account on another phone?

What phone is it?

What does https://testexchangeconnectivity.com show as the results (Activesync Test) for the account?

If you need to troubleshoot the problem, please open up a question and post a link here (in case I miss it).

Thanks

Alan
0

Expert Comment

by:TTAF4


hi Alan please see my question in the link above
0

Expert Comment

by:edsexpert
The user being used is a regular user with no elevated permissions
0

Expert Comment

by:SupportechMD
Thanks!  One user didn't have the have the permissions propagating corretly after a migration to SBS 2011 from SBS 2003.
0
LVL 76

Author Comment

by:Alan Hardisty
You were lucky it was just the one user!!

Alan
0
LVL 1

Expert Comment

by:Comeon
Just wanted to say thanks on this! I thought it was my iPhone, strange that my wife's android phone sync up to my account with out this option checked.

Thanks!
0
LVL 9

Expert Comment

by:Senior IT System Engineer
This is awesomely cool article !
0

Expert Comment

by:Rodrbg
Doesn't work
0

Featured Post

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Join & Write a Comment

This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month