Bulk Exchange Mailbox move - question on mobile devices and Active Directory

Did a mailbox move for a mailbox from Exchange 2007 to Exchange 2010.
Mobile device did not sync properly after making a connection to the ActiveSync url, but OWA in browser could connect fine.

The fix was, I think:  Checking the "Include inheritable permissions from this object's parent" for the AD account's properties belonging to the mailbox, under Security tab > Advanced in Active Directory on the user object (with advanced settings view enabled).

Why is this checked necessary? Does it interfere with AD?
Surely MS doesn't expect to check this after a 1000+ user migration, right?
Is there a better way to handle this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This is not something that should happen everytime. This would only be the case if the mailbox is experiencing issues. Making sure that "Include inheritable permissions from this object's parent" is checked corrects the issue.

Marwan OsmanCommented:
the checked is necessary to assign permissions to the objects like the exchange permissions to be able to use activesync and note that after migrating, ""Include inheritable permissions from this object's parent"" must be stay checked unless from few users like the users who has membership to the domain admin group or administrators.....

if you want to check this box for bulk of users, use the script in the below link:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garryshapeAuthor Commented:
Thanks guys and awesome on the script, haven't tried yet but I'll try to report back if it works.

Thanks again as always
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Marwan OsmanCommented:
you are welcome
garryshapeAuthor Commented:
Also is that script for AD objects? or folders?
Marwan OsmanCommented:
sorry, you are right, please check the script in the below link, it is for enable it for for all users in AD:


1) Open a PowerShell prompt (Run as administrator) on a Domain Controller. Then perform the following PowerShell commands:
Import-Module ActiveDirectory
$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “ou=companyusers,dc=enterpriseit,dc=co”
ForEach($user in $users)
    # Binding the users to DS
    $ou = [ADSI](“LDAP://” + $user)
    $sec = $ou.psbase.objectSecurity
    if ($sec.get_AreAccessRulesProtected())
        $isProtected = $false ## allows inheritance
        $preserveInheritance = $true ## preserver inhreited rules
        $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
        Write-Host “$user is now inherting permissions”;
        Write-Host “$User Inheritable Permission already set”
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.