Activesync Works for only some users on exchange 2007/2010

When attempting to Sync a mobile device with an exchange email address using ActiveSync functionality you may find that although the email profile appears to set up correctly and connect to the exchange server emails will refuse to sync. With this specific issue the account in question will have previously been migrated from exchange 2003. 

This problem is caused by background exchange permissions not properly inheriting after the account migration. this problem can be resolved by following the instructions below.

  • Open the users profile in active directory 
  • Open the security tab
  • Open the advanced options from within the security tab
  • Ensure Include Inheritable Permissions From This Object’s Parent is ticked. 

 

After following the above instructions recreate the mail profile on the phone and emails will sync as usual. 

 

If this problem occurs on an admin user you may find that this solution works for a short period of time and then resets. This is due to  Active Directory using  the AdminSDHolder to define what permissions the default protected security groups receive. every 60 minutes a process called SDPROP will run on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups with what has been defined by the AdminSDHolder object.

Unfortunately there is no simple resolution for this and microsofts official recommendation as well as best practice is two have two accounts, One for administrator purposes (non mail enabled) and another for day to day work. 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk