[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 892
  • Last Modified:

Exchange 2003 SP2 - Mobile Services - Required Rights?

What rights are required to manage Exchange 2003 SP2 Mobile Services -  Device Security - Exception list?

I have some helpdesk staff who are going though the process of updating smart phones to the Mobile Security Pack.  I need the helpdesk staff to have the ability to remove users from the "Exception List."  I've testing giving them security rights to the Mobile Services page with no luck.  I've also tried giving them delegated Exchange Administrator rights with no luck.  It just errors out and gives the person the following message:

Facility: LDAP Provider
ID no: 80070005
Exchange System Manager

I'm guessing that there are some AD rights that might be needed but I'm not entirely sure.

Funny thing is I've tried calling Microsoft who flat out refuses to help me with anything regarding Active Sync or Mobile services.  Go figure, you'd think it wasn't their product.
2 Solutions
The 80070005 does appear to indicate an AD permissions problem, although it's hard to say what was being accessed at the time.  Try installing ADSI Edit, and look at the properties of the  Configuration\Services\Microsoft Exchange branch.  From the Security tab, you will be able to work out if your staff should be able to access it.

A quick test would be to temporarily make someone you can trust a Domain Admin.
They wouldn't have to be a Domain Admin. But they should have access to modify setings in Active Directory. You could try placing them in the Account Operators or the Administrators group.
CrazyStandAuthor Commented:
Thanks for the response.  The two fields that are updated are msExchOMAAdminExtendedSettings and msExchOMAAdminWirelessEnable.  Apparently when you bring up the exception list, an LDAP query is performed which looks for msExchOMAAdminExtendedSettings value of PolicyDataExemption:True.  Whether the user is actually exempt or not comes from the msExchOMAAdminWirelessEnable field having a certain value.

Anyway, making the helpdesk person a part of the Account Operators seems to have worked.  It took me a good deal of hunting and comparing users in ADSI edit to find those to fields.

Once I found out the two fields that seemed to be different I was able to find this article that does a much better job of explaining it all:

Thank you both for pointing me in the right directions.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now