newly installed server2012 with exchange2013 - no mobile connect for user with domain-admin rights - all other users can connect

Posted on 2014-08-21
Last Modified: 2014-12-04

we just installed a new Exchange 2013 on server 2012. Now we tried to connect some mobiles. For all users this worked fine. But only one user that is member of domainadmins-group cant connect. It was tested with iphone and android.
You can setup the account on the mobiles and it tells that everything is fine. But after completing all settings, the inbox says
"cant connect to server" (on iphone) and syncs without end and without error on android.

I deleted for testing the membership of damainadmins. This didn´t help.
OWA works for this user too. Only Mobiles can´t connect. Same mobiles can connect if i change the username of the account to another user.

Thanks for ideas or solutions

Question by:loosain
    LVL 19

    Assisted Solution

    by:Adam Farage
    Thats not it.

    When a member is apart of the domain admins group, ActiveSync will not work due to permission changes on the AD user object but also because it is a restricted account. Make sure inheritable permissions are set on the AD user object, and then retest:

    The main thing in the article is that "Include inheritable permissions from this object's parent" is set. without this, the Exchange Servers "special" permissions group will not be applied. By default, since the domain admins group is a restricted group this is unchecked.
    LVL 19

    Accepted Solution

    Please check this from

    If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder object.

    Note: We recommend that you do not use accounts that are members of protected groups for e-mail purposes. If you require the rights that are afforded to a protected group, we recommend that you have two Active Directory user accounts. These Active Directory accounts include one user account that is added to a protected group and one user account that is used for e-mail purposes and at all other times.

    Author Comment

    i took the adminrights away from the customer, but nothing happend. how long does it take to take effect ? Or does it mean that one account had adminrights, it never gets mails on mobiles, even if this account is taken away from admingroups?

    Author Closing Comment

    After some time - it works - don´t ask why...

    Featured Post

    Live: Real-Time Solutions, Start Here

    Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

    Join & Write a Comment

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now