BrianVan
asked on
Active Sync Error
Hi All.
I have Exchange 2010 and am trying to get Active Sync working in preparation for a migration from BES to an MDM. When I run the MS Remote Connectivity Analyzer everything but one thing passes.
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Additional Details
Exchange ActiveSync returned an HTTP 500 response (Internal Server Error).
Diagnostics:
I then looked in the event logs on the exchange server and see this error:
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=XXX,OU=SBSUsers,OU=Use
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
So I go onto one of my DCs and verify that the test account indeed has "Include inheritable permissions from this object's parent" checked and that that domain\Exchange Server has the above mentioned permissions on the account but it still doesn't work. Any suggestions?
I have Exchange 2010 and am trying to get Active Sync working in preparation for a migration from BES to an MDM. When I run the MS Remote Connectivity Analyzer everything but one thing passes.
Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.
Additional Details
Exchange ActiveSync returned an HTTP 500 response (Internal Server Error).
Diagnostics:
I then looked in the event logs on the exchange server and see this error:
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=XXX,OU=SBSUsers,OU=Use
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
So I go onto one of my DCs and verify that the test account indeed has "Include inheritable permissions from this object's parent" checked and that that domain\Exchange Server has the above mentioned permissions on the account but it still doesn't work. Any suggestions?
ASKER
Hello Zindel1.
I did the steps you suggested and no change.
I did the steps you suggested and no change.
http://ayalaaii.wordpress.com/2012/12/20/exchange-2010-insuff_access_rights-this-error-is-not-retriable-additional-information-access-is-denied/
if the “Include Inheritable permissions from this objects parent” is cheked you uncheck it Apply setting, then go back check it and Apply agaain, ensuring that permission will get re-applied
if the “Include Inheritable permissions from this objects parent” is cheked you uncheck it Apply setting, then go back check it and Apply agaain, ensuring that permission will get re-applied
ASKER
Still not working.
is this for just one user or all users?
ASKER
I have tested it with 4 users and they have all had the same results so I would assume it is affecting all users.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Figured it out myself
Start Active Directory Users and Computers.
Click View, and then click to enable Advanced Features.
Right-click the object where you want to change the Exchange Server permissions, and then click Properties.
Note You can change permissions against a user, an organizational unit, or a domain.
On the Security tab, click Advanced.
Click Add, type Exchange Servers, and then click OK.
In the Apply to box, click Descendant msExchActiveSyncDevices objects.
Under Permissions, click to enable Modify Permissions.
Click OK three times.
http://support.microsoft.com/kb/2579075