I am looking for a way to grant Help Desk technicians with access to only ActiveSync within the Exchange 2013 EAC. Basically management wants the Help Desk to be able to issue a Remote Wipe to devices after an employee is terminated, but not be able to manage mailboxes or anything else in Exchange.
I started by creating a copy of "View-Only Organization Management" in the Admin Roles. This at least allows them to log into EAC and view mailboxes but the "Mobile Devices" section is completely missing.
I then went into ADUC and into the Advanced Security Settings of the new Security Group and made the following changes which are probably completely wrong.
Highlighted Authenticated Users and clicked on Edit.
Selected - Applies to: Decendant msExchActiveSyncDevices objects
Added the following permissions.
Create msExchActiveSyncDevice objects
Delete msExchActiveSyncDevice objects
This doesn't do anything and I am unfortunately just guessing, but I suspect there must be some specific permissions that need to be selected in order for this to work. I know Active Directory is very granular, but I am not overly familiar with all the security settings.