none
Exchange ActiveSync doesn't have sufficient permissions to create the.....

    Question

  • Pasted the error on the bottom. 

    EVERY thread and post I find in multiple forums tells you to do the inheritable permissions in Active Directory. This has ALREADY been done, there is more to it then that. 

    The user has 3 different devices. And Ipad and another not sure what it is. Those 2 connect just fine. His Iphone on the other hand does not connect. Says "Connection Failed". I get the error pasted on the bottom of this post in the Event Viewer of my Exchange Server.

    By adding "Full Access" to "exchange servers" in active directory I was able to temporarily fix the issue. However after I removed "Full Access" the errors started showing up in Event Viewer again. The phone did receive emails after the errors but I have a feeling it's going to stop working.

    As previously mentioned he ALREADY has the inheritable permissions that the error message is asking for. I double triple quadruple quintuple checked. 


    Here is the error message I get in the Event Viewer of my Exchange Server: 
    ---------------------------------------------------------------------------

    Exchange ActiveSync doesn't have sufficient permissions to create the "********** ********* ******* ********* *****" container under Active Directory user "Active Directory operation failed on **********. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    ".
    Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.

    Details:%3

    Tuesday, May 28, 2013 3:32 PM

Answers

  • I think it may be some sort of bot. 

    It is actually 3 different users that are having this problem. One is a network admin. Two are directors but I don't believe they have admin rights. The inheritance definitely got cleared from the admin account. But even when I re-add the "List Contents" "Create/Delete all child objects" and "Create/Delete msExchActiveSyncDevice object" to the permissions it does not fix the problem.

    What has consistently fixed the problem is adding "Full Access" to "Exchange Servers" temporarily (for about 15 mins). Then getting on the phone and resynching. Then removing "Full Access". After that it appears to be fixed. The problem is I still get errors in Event Viewer even though functionally it's fine.

    Unfortunately creating a separate user is not an option due to the way our organization is set up. 
    Thursday, May 30, 2013 1:23 PM
  • Then you're going to have to muck with permissions in a non-supported way.

    Seriously, you should have separate administrative and non-administrative accounts.  It would be a shame if one of your administrators opened an e-mail message while logged on as an administrator and have it replicate everywhere based on the user's elevated rights.

    It's just poor practice even if Exchange didn't have problems with it.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Thursday, May 30, 2013 3:59 PM

All replies

  • I don't understand why this post was marked as abusive.  Perhaps a moderator can clear that.

    The reason you must allow inheritable permissions is so that the parent permissions apply to an object.  However, if the parent permissions are misconfigured, allowing inherited permissions won't fix anything.

    The next step I would try would be to re-run setup.com /PrepareAD and setup.com /PrepareAllDomains from the media for the latest Exchange 2010 service pack you've applied to your organization.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, May 28, 2013 4:55 PM
  • Strange that someone marked it as abusive. 

    I don't think that the parent permissions are misconfigured because just about everyone else who uses activesync doesn't have issues. 

    I was wondering what exactly does setup /PrepareAD do. I was going to run it but I was worried it could change some permissions and that would cause even more problems. For instance we had to make some temporary adjustments to get it to sync to administrators phones. 

    Thank you for your reply btw. 

    Tuesday, May 28, 2013 5:37 PM
  • I had a question about PrepareAD.

    I have a about 70 different users a lot of which have ActiveSync and it works fine for them. I was afraid that if I ran that some of the settings could get erased. I was going to run it but I got worried about that. 

    Tuesday, May 28, 2013 5:55 PM
  • The forums or someone reading them hates you because all your posts are being marked as abusive.

    If it's just one user, then running PrepareAD shouldn't be necessary then.  There's documentation on exactly what it does; you're welcome to find it.

    Is that user a member of any privileged group, such as Domain Admins or Organization Management?  Exchange clears the inheritance and sets a flag for members of such groups and it can screw up ActiveSync and Web Services.  If that's the case, I recommend that you follow security best practice and create separate administrative and non-privileged regular use accounts for such users.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."


    Wednesday, May 29, 2013 12:04 AM
  • Pasted the error on the bottom. 

    EVERY thread and post I find in multiple forums tells you to do the inheritable permissions in Active Directory. This has ALREADY been done, there is more to it then that. 

    The user has 3 different devices. And Ipad and another not sure what it is. Those 2 connect just fine. His Iphone on the other hand does not connect. Says "Connection Failed". I get the error pasted on the bottom of this post in the Event Viewer of my Exchange Server.

    By adding "Full Access" to "exchange servers" in active directory I was able to temporarily fix the issue. However after I removed "Full Access" the errors started showing up in Event Viewer again. The phone did receive emails after the errors but I have a feeling it's going to stop working.

    As previously mentioned he ALREADY has the inheritable permissions that the error message is asking for. I double triple quadruple quintuple checked. 


    Here is the error message I get in the Event Viewer of my Exchange Server: 
    ---------------------------------------------------------------------------

    Exchange ActiveSync doesn't have sufficient permissions to create the "********** ********* ******* ********* *****" container under Active Directory user "Active Directory operation failed on **********. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    ".
    Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.

    Details:%3

    This user is most probably member of some of the protected groups such as domain admins, account operators and similar. If this is the case, just try same scenario with non-privileged user account

    Damir

    Wednesday, May 29, 2013 8:05 PM
  • I think it may be some sort of bot. 

    It is actually 3 different users that are having this problem. One is a network admin. Two are directors but I don't believe they have admin rights. The inheritance definitely got cleared from the admin account. But even when I re-add the "List Contents" "Create/Delete all child objects" and "Create/Delete msExchActiveSyncDevice object" to the permissions it does not fix the problem.

    What has consistently fixed the problem is adding "Full Access" to "Exchange Servers" temporarily (for about 15 mins). Then getting on the phone and resynching. Then removing "Full Access". After that it appears to be fixed. The problem is I still get errors in Event Viewer even though functionally it's fine.

    Unfortunately creating a separate user is not an option due to the way our organization is set up. 
    Thursday, May 30, 2013 1:23 PM
  • We have at least 20 other users who can sync without a problem. Unfortunately it is impossible to create a non-privileged user for the users that do not. 
    Thursday, May 30, 2013 1:24 PM
  • Then you're going to have to muck with permissions in a non-supported way.

    Seriously, you should have separate administrative and non-administrative accounts.  It would be a shame if one of your administrators opened an e-mail message while logged on as an administrator and have it replicate everywhere based on the user's elevated rights.

    It's just poor practice even if Exchange didn't have problems with it.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Thursday, May 30, 2013 3:59 PM