At work we are currently migrating to a new active directory domain. The migration hos gone rather smoothly except for a couple of users who are not able to sync mail on their phones.
After a little research I found the following events in the event log on our exchange CAS server:
Log Name: Application
Source: MSExchange ActiveSync
Date: 04.08.2011 11:00:48
Event ID: 1053
Task Category: Configuration
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=<user>,OU=<ou>,DC=<domain>,DC=local” container under Active Directory user “Active Directory operation failed on <domain controller>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domainExchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.
This, I found, was because the exchange server wants to create a container under the user object in ad. That container shall contain an object for each mobile device the user wants to sync mail on.
I compared the users having trouble syncing to those who are able to sync and found only one difference: The users who cannot sync mail doesn’t have “Include inheritable permissions from this object’s parent” ticked on the Security–>Advanced page of the user object. Ticking this resolved the issue.
After a little more digging I found the specific permission the exchange servers need.
To enable ActiveSync the group “<domain>Exchange Servers” need to have these permissions:
Create msExchActiveSyncDevices object
Delete msExchActiveSyncDevices object