locked
ActiveSync issues with iPhone 3Gs & Exchange 2010 RC RRS feed

  • Question

  • Unable to sync with my iPhone 3Gs - seems to be a permissions issue ?

    Log Name:      Application
    Source:        MSExchange ActiveSync
    Date:          28/08/2009 10:28:52
    Event ID:      1053
    Task Category: Configuration
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      EXCHANGE.konnexion.net
    Description:
    The Exchange ActiveSync doesn't have enough permissions to create "CN=Ian,OU=Users,OU=Konnexion,DC=konnexion,DC=net" container under AD user "Active Directory operation failed on INFERNO.konnexion.net. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    ".
    Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions blocking such operartions.

    Friday, August 28, 2009 10:15 AM

Answers

  • Did you already do what it said and make sure inherited permissions are on? If your user is or ever was a member of an AD protected group then it'll be off.
    Brian Day / MCSA / CCNA, Exchange/AD geek.
    • Marked as answer by konnexion Friday, August 28, 2009 2:33 PM
    Friday, August 28, 2009 12:59 PM

All replies

  • Did you already do what it said and make sure inherited permissions are on? If your user is or ever was a member of an AD protected group then it'll be off.
    Brian Day / MCSA / CCNA, Exchange/AD geek.
    • Marked as answer by konnexion Friday, August 28, 2009 2:33 PM
    Friday, August 28, 2009 12:59 PM
  • Brian I'm not exactly sure what it's telling me and where to go to fix it. By "user" does it mean my domain account, ie the account trying to activesync ?
    Friday, August 28, 2009 2:16 PM
  • Got it, thanks !

    For anyone else as confused as I was, bring up Properties/Security of the user account, click on Advanced and enable the checkbox "Include inheritable permissions from this object's parent"

    Ian

    Friday, August 28, 2009 2:25 PM

  • same issue on Windows Mobile 6.x (tested on 6.5, 6.1, 6.0) so its not Mobile Device platform issue

    Seems its litle bug in Exchange Server 2010 RC, I tested it on 14.0.639.11, and DC running on Windows Server 2008 R2,



    Arman Obosyan, http://postmaster.ge/blog
    Friday, August 28, 2009 4:05 PM
  • Not a bug. It is just proving people out there are not following best practices and are using their admin accounts for email and daily tasks. :)  If you are a member of a protected group AD will remove inheritence automatically every 1 hour. Use a non-admin account for your day to day stuff and use run-as for an admin account to perform admin tasks.


    http://support.microsoft.com/default.aspx/kb/817433

    http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx


    Brian Day / MCSA / CCNA, Exchange/AD geek.
    • Proposed as answer by M-L-S Friday, August 9, 2013 6:56 PM
    Friday, August 28, 2009 7:24 PM
  • Glad it's working now! :)
    Brian Day / MCSA / CCNA, Exchange/AD geek.
    Friday, August 28, 2009 7:25 PM
  • will remove inheritence automatically
    Very cool :)
    Thanks Brian!

    I use my standard account, but later found that is member of schema admin (left after some experiments), so i remove it :)

    Thanks again!

    Arman Obosyan, http://postmaster.ge/blog
    Friday, August 28, 2009 7:37 PM
  • Thanks for the info on Exchange with iphone devices and the protected groups within AD.

    Now we know why we were having issues after our upgrade, with our admin staff accessing email via iphones.

    Now for the next evolution, just wondering if you know if the same problem occurs when using exchange 2010 and blackberry devices via a BES or BES express server?

    thanks in advance.

    Dave Savoie

    Thursday, October 14, 2010 2:02 PM
  • Yes, this issue presents itself when working with Blackberry Server (BES, BES Express, etc.)  We had to remove everyone from the Domain Admin protected group before their Blackberrys would work because the BES Admin account you use for Blackberry services, will not propogate permissions down to those protected accounts.
    Thursday, October 14, 2010 2:35 PM
  • Excellent stuff guys, 1 and a half years on, this helped resolve my problem with Exchange 2010 and Nokia Mail for Exchange. It was silly of me that I hadn't checked the event log for 2 days to find out what my problem was - I kept thinking it was Exchange configuration issue/ not having the latest version of Mail for Exchange or not having a public SSL certificate. However, this sorted my issue, Thanks!
    Wednesday, January 19, 2011 12:35 PM
  • Hey, thanks for this info.

    Is it possible to check and correct the setting via Exchange Powershell?

    greetings
    Stefan

    Monday, January 31, 2011 1:30 PM
  • I have a user that I have removed from all Admin Groups and the inheritance is checked. After moving them from2003 to 2010 Activesync no longer works on either iPhone or Windows device. On windows phone I am receiving Error code: 86000C0A, We're having a problem syncing with mail.genesta.com.
    Saturday, March 5, 2011 3:51 PM
  • What about ADUC 2008. I had to go to my 2003 server to use ADUC to be able to see the security tab. It is not avail able in ADUC properties on my 2008 server.

    [update] ... nevermind. Turned on 'Advanced Features' under Views... and 'Bob's your uncle' there it is.

    Monday, March 7, 2011 6:47 PM
  • Brian,

     

    I just performed an Exchange 2003 to Exchange 2010 migration for a client and they are experiencing this issue with their admins users.  I have attempted this fix with multiple accounts but still get the "Unable to Verify Account Information" error.  I go in to the account properties > Security Tab > Advanced > and check Inherit permission.  I even tried removing the user from all protected security groups and wait for it propagate but still same error...

     

    They are running Exchange 2010 w/ SP1 Update Rollup 2.  Is this not possible anymore in Exchange 2010?  Is it maybe because these mailboxes were moved from 2003 to 2010?  

     

    Any help is much appreciated!

     

     

    Thanks,

    Scott Cochran,  Security+, MCSE ‘03, MCITP-EA, CCA, VCP, NCDA

     

    Thursday, March 24, 2011 3:52 AM
  • Thanks for the clearification.
    Tuesday, May 24, 2011 5:07 PM
  • Is there a way to disable this behavior and not have AD removing inheritance for members of a protected group? Best practice or not, just doesn't seem like AD should be making policy for me. Any workaround or registry mod? Thanks in advance!

    EDIT: Saw it in the article :O


    RJ

    Thursday, July 28, 2011 7:36 AM
  • Ramyar, did you get any response to your question yet? Taking some users out of protected groups is simply not an option for us :(
    Wednesday, September 14, 2011 1:57 PM
  • hello Scott. i am in the exactly the same predicament as you are. ? did you find out this resolution?
    Friday, December 2, 2011 1:38 AM
  • From your Exchange 2010 installation files, run Setup /preparead.  This will restore all of the appropriate permissions to Exchange objects.
    Saturday, December 24, 2011 7:53 AM
  • hello Scott. i am in the exactly the same predicament as you are. ? did you find out this resolution?

    Hello Scott and CityComm.  Our new ActiveSync users are in the same boat.  They're not in protected groups, their permissions are set to be inherited, their domain/Exchange Server ActiveSync permissions appear to be ok, but they're not synching.

    We have a number of existing ActiveSync users, with various flavors of OSx and Droid devices which are syncing just fine.  Most user accounts are migrated from Exchange 2003 and Server 2003 to Exchange 2010 and Server 2008.

    The account of one new ActiveSync user, with a new iPhone which is not synching, was migrated from 2003.

    The accounts of two other new ActiveSync users, with different iPhones which are not synching, are brand-new in 2010/2008. 

    We're stumped.  Please put us on the list of consumers eager for a solution.


    • Edited by jetpowerpro Sunday, January 8, 2012 12:08 AM
    Saturday, January 7, 2012 11:32 PM
  • Hey Jet,

    Pardon for not being more explicit but I was in the same boat as well.  Migrated from 2003 to 2010- some of the mailboxes sync'd with devices initially.  Eventually, any newly created or migrated mailboxes would not sync despite permissions, (non)protected group status, and inheretance.  Setup /preparead did the trick.

     

     

    • Proposed as answer by -T- Wednesday, March 14, 2012 2:49 AM
    Wednesday, January 11, 2012 5:28 AM
  • Many thanks to all in this thread.  Been slamming my head on the wall for two days and after trying everything, running the setup /preparead worked like a champ and the phones connected.  Thanks to all who contributed to this thread.
    Tuesday, January 24, 2012 1:17 PM
  • so, as final, what is to be done?

    setup /preparead?

    i'm not clear with security permission in AD, is that to be set for all users???


    Lasandro
    Friday, January 27, 2012 10:19 PM
  • I was finally able to resolve this after months of troubleshooting. The issue is that the user or users are having this issue are most likely in one of the below groups or a group which belongs in one of the below groups.

    The following list describes the protected groups in Windows 2000:
    • Enterprise Admins
    • Schema Admins
    • Domain Admins
    • Administrators

    The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4:
    • Administrators
    • Account Operators
    • Server Operators
    • Print Operators
    • Backup Operators
    • Domain Admins
    • Schema Admins
    • Enterprise Admins
    • Cert Publishers
    Additionally the following users are also considered protected:
    • Administrator
    • Krbtgt

    ie in our case Domain Users was part of Print Operators so everyone had this issue and we had to manually do this when they get new smartphones.

    You can refer to this Microsoft article for details and also on how to enable all users with a script.

    http://support.microsoft.com/kb/817433

    • Edited by dejansh Tuesday, October 2, 2012 8:34 PM
    Tuesday, October 2, 2012 8:34 PM