Garry Shape
asked on
Bulk Exchange Mailbox move - question on mobile devices and Active Directory
Did a mailbox move for a mailbox from Exchange 2007 to Exchange 2010.
Mobile device did not sync properly after making a connection to the ActiveSync url, but OWA in browser could connect fine.
The fix was, I think: Checking the "Include inheritable permissions from this object's parent" for the AD account's properties belonging to the mailbox, under Security tab > Advanced in Active Directory on the user object (with advanced settings view enabled).
Why is this checked necessary? Does it interfere with AD?
Surely MS doesn't expect to check this after a 1000+ user migration, right?
Is there a better way to handle this?
Mobile device did not sync properly after making a connection to the ActiveSync url, but OWA in browser could connect fine.
The fix was, I think: Checking the "Include inheritable permissions from this object's parent" for the AD account's properties belonging to the mailbox, under Security tab > Advanced in Active Directory on the user object (with advanced settings view enabled).
Why is this checked necessary? Does it interfere with AD?
Surely MS doesn't expect to check this after a 1000+ user migration, right?
Is there a better way to handle this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you are welcome
ASKER
Also is that script for AD objects? or folders?
sorry, you are right, please check the script in the below link, it is for enable it for for all users in AD:
http://enterpriseit.co/microsoft-active-directory/enable-inheritance-ad-user-accounts/
1) Open a PowerShell prompt (Run as administrator) on a Domain Controller. Then perform the following PowerShell commands:
Import-Module ActiveDirectory
$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “ou=companyusers,dc=enterp riseit,dc= co”
ForEach($user in $users)
{
# Binding the users to DS
$ou = [ADSI](“LDAP://” + $user)
$sec = $ou.psbase.objectSecurity
if ($sec.get_AreAccessRulesPr otected())
{
$isProtected = $false ## allows inheritance
$preserveInheritance = $true ## preserver inhreited rules
$sec.SetAccessRuleProtecti on($isProt ected, $preserveInheritance)
$ou.psbase.commitchanges()
Write-Host “$user is now inherting permissions”;
}
else
{
Write-Host “$User Inheritable Permission already set”
}
}
http://enterpriseit.co/microsoft-active-directory/enable-inheritance-ad-user-accounts/
1) Open a PowerShell prompt (Run as administrator) on a Domain Controller. Then perform the following PowerShell commands:
Import-Module ActiveDirectory
$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “ou=companyusers,dc=enterp
ForEach($user in $users)
{
# Binding the users to DS
$ou = [ADSI](“LDAP://” + $user)
$sec = $ou.psbase.objectSecurity
if ($sec.get_AreAccessRulesPr
{
$isProtected = $false ## allows inheritance
$preserveInheritance = $true ## preserver inhreited rules
$sec.SetAccessRuleProtecti
$ou.psbase.commitchanges()
Write-Host “$user is now inherting permissions”;
}
else
{
Write-Host “$User Inheritable Permission already set”
}
}
ASKER
Thanks again as always