Exchange 2003 SP2 - Mobile Services - Required Rights?

Posted on 2007-10-01
Last Modified: 2008-01-09
What rights are required to manage Exchange 2003 SP2 Mobile Services -  Device Security - Exception list?

I have some helpdesk staff who are going though the process of updating smart phones to the Mobile Security Pack.  I need the helpdesk staff to have the ability to remove users from the "Exception List."  I've testing giving them security rights to the Mobile Services page with no luck.  I've also tried giving them delegated Exchange Administrator rights with no luck.  It just errors out and gives the person the following message:

Facility: LDAP Provider
ID no: 80070005
Exchange System Manager

I'm guessing that there are some AD rights that might be needed but I'm not entirely sure.

Funny thing is I've tried calling Microsoft who flat out refuses to help me with anything regarding Active Sync or Mobile services.  Go figure, you'd think it wasn't their product.
Question by:CrazyStand
    LVL 31

    Accepted Solution

    The 80070005 does appear to indicate an AD permissions problem, although it's hard to say what was being accessed at the time.  Try installing ADSI Edit, and look at the properties of the  Configuration\Services\Microsoft Exchange branch.  From the Security tab, you will be able to work out if your staff should be able to access it.

    A quick test would be to temporarily make someone you can trust a Domain Admin.
    LVL 7

    Assisted Solution

    They wouldn't have to be a Domain Admin. But they should have access to modify setings in Active Directory. You could try placing them in the Account Operators or the Administrators group.
    LVL 1

    Author Comment

    Thanks for the response.  The two fields that are updated are msExchOMAAdminExtendedSettings and msExchOMAAdminWirelessEnable.  Apparently when you bring up the exception list, an LDAP query is performed which looks for msExchOMAAdminExtendedSettings value of PolicyDataExemption:True.  Whether the user is actually exempt or not comes from the msExchOMAAdminWirelessEnable field having a certain value.

    Anyway, making the helpdesk person a part of the Account Operators seems to have worked.  It took me a good deal of hunting and comparing users in ADSI edit to find those to fields.

    Once I found out the two fields that seemed to be different I was able to find this article that does a much better job of explaining it all:

    Thank you both for pointing me in the right directions.

    Featured Post

    The problems with reply email signatures

    Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

    Join & Write a Comment

    Find out how to use dynamic social media in email signatures with this top 10 DOs & DON’Ts.
    Easy CSR creation in Exchange 2007,2010 and 2013
    In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now