newly installed server2012 with exchange2013 - no mobile connect for user with domain-admin rights - all other users can connect


we just installed a new Exchange 2013 on server 2012. Now we tried to connect some mobiles. For all users this worked fine. But only one user that is member of domainadmins-group cant connect. It was tested with iphone and android.
You can setup the account on the mobiles and it tells that everything is fine. But after completing all settings, the inbox says
"cant connect to server" (on iphone) and syncs without end and without error on android.

I deleted for testing the membership of damainadmins. This didn´t help.
OWA works for this user too. Only Mobiles can´t connect. Same mobiles can connect if i change the username of the account to another user.

Thanks for ideas or solutions

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam FarageEnterprise ArchCommented:
Thats not it.

When a member is apart of the domain admins group, ActiveSync will not work due to permission changes on the AD user object but also because it is a restricted account. Make sure inheritable permissions are set on the AD user object, and then retest:

The main thing in the article is that "Include inheritable permissions from this object's parent" is set. without this, the Exchange Servers "special" permissions group will not be applied. By default, since the domain admins group is a restricted group this is unchecked.
Please check this from

If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder object.

Note: We recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you require the rights that are afforded to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group and one user account that is used for e-mail purposes and at all other times.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
loosainAuthor Commented:
i took the adminrights away from the customer, but nothing happend. how long does it take to take effect ? Or does it mean that one account had adminrights, it never gets mails on mobiles, even if this account is taken away from admingroups?
loosainAuthor Commented:
After some time - it works - don´t ask why...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.