Activesync Working But Only For Some Users On Exchange 2007 / 2010
Published on
134,613 Points
There are some issues with ActiveSync for both Exchange 2007 and Exchange 2010 users whereby some users can connect their Mobile Devices (Windows Mobile Phones / iPhones / Motorola Droid etc) quite happily and ActiveSync pushes mail to the devices, but other users cannot connect and cannot sync anything at all.
There appear to be plenty of potential solutions for this problem around if you search the web, but the solution to the majority of these problems can be solved quite simply.
If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
Once the box is ticked, you should then be able to connect up your Mobile Device to your Exchange Server and receive your mail like the rest of your users.
This particular problem seems to only affect migrated users and not users that were setup on the server post migration.
You may also find that if you use an account that has Admin privileges, and you Check the ‘Include Inheritable Permissions From This Object’s Parent’ check box, that it works for a while, and then stops working again about an hour or so later.
The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.
Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.
The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators
The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt
There appear to be plenty of potential solutions for this problem around if you search the web, but the solution to the majority of these problems can be solved quite simply.
If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
Once the box is ticked, you should then be able to connect up your Mobile Device to your Exchange Server and receive your mail like the rest of your users.
This particular problem seems to only affect migrated users and not users that were setup on the server post migration.
You may also find that if you use an account that has Admin privileges, and you Check the ‘Include Inheritable Permissions From This Object’s Parent’ check box, that it works for a while, and then stops working again about an hour or so later.
The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.
Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.
The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators
The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.