There are some issues with Activesync for both Exchange 2007 and Exchange 2010 users whereby some users can connect their Mobile Devices (Windows Mobile Phones / iPhones / Motorola Droid etc) quite happily and Activesync pushes mail to the devices, but other users cannot connect and cannot sync anything at all.
There appear to be plenty of potential solutions for this problem around if you search the web, but the solution to the majority of these problems can be solved quite simply.
If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View> Advanced Features from the Menu at the top of the screen then navigate back to your user). Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
Once the box is ticked, you should then be able to connect up your Mobile Device to your Exchange Server and receive your mail like the rest of your users.
This particular problem seems to only affect migrated users and not users that were setup on the server post migration.
You may also find that if you use an account that has Admin privileges, and you Check the ‘Include Inheritable Permissions From This Object’s Parent’ check box, that it works for a while, and then stops working again about an hour or so later.
The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.
Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.
The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators
The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt
Many thanks to Glen Knight aka Demazter for the section about AdminSDHolder.
The following blog shows a way to get around the issue if you want to maintain Activesync with an Administrator Account (use at your own risk):
http://retrohack.com/enable-activesync-outlook-anywhere-exchange-2010/
Filed under: Exchange 2007, Exchange 2010, Exchange Server | Tagged: Activesync, Exchange 2007, exchange 2010, Not working |
Alan Hardisty's Blog - All Things IT Related 
[…] There are known problems with administrative users when using ActiveSync and this has been covered in an article here by Alan Hardisty: https://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-pe… […]
Excellent, thanks for that tip.
Just began the migration process, and my mailbox needed inheritable permissions enabled.
Not sure how many years of pain you’ve saved me!
Nice work Alan, we ran into this exact issue for legacy mailboxes and it fixed it straight away.
This info is a gem. Been looking for a solution all day as we migrated to Exchange 2010 yesterday. Thanks a million.
Regards
Alan
Great blog , I resolved the issue following your instruction
Thanks
[…] what is this permission issue all about? Well, we found that members of the Exchange Server admin group receive an HTTP 500 response code to ActiveSync requests, something that became clear when I looked at the logs closer. We also used the Microsoft […]
an answer with a reason, awesome!
thanks
[…] Posts Exchange 2003 and Activesync Configuration and TroubleshootingActivesync Working But Only For Some Users On Exchange 2007 / 2010Windows Small Business Server 2011 Standard and Premium Add-on Released to ManufacturingHTC HD2 […]
Thanks Dude, saved me a lot of headaches!!!!
You are welcome – it is one of those random permissions that tends to be hard to find.
Glad it helped you.
Best wishes
Alan
Many thanks for your information it really help me a lot to resolve this problem.
Best Regards
Thanks… this has saved me a shed load of head scratching!!!
[…] […]
Lifesaver! Thank you so much for taking the time to document this in plain English.
Many thanks,
Sam.
[…] Found a good description of what can make this occur at: https://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-pe… […]
Perfect answer. Thanks. I struggled for hours. You are a hero. Strange thing though, We configured Exchange 2010 from scratch and not a migration yet I can see several mailboxes needing this fix.
Thanks again, Deak
Wow. I’ve been looking for this for a week now. Annoyed the heck out of me. The funny thing is, the same “Inherit Permissions” thing took me some time to figure out because I couldn’t set delegation rights on mailboxes a while ago. Never thought this would be related. And ofcourse I hadn’t ticked the “Inherit Permissions” for everyone yet..
Nice find!
Just as an FYI. On our installation the migrated users worked fine, and it was the new users that had the problem.
Paul – thanks for the feedback. Weird, but appreciate the information.
Awesome post, just saved me hours of rechecking everything in Exchange. Thanks
What a simple solution to a pain in the…..
Thanks!!!!
Is there any script to batch this permission on all our users?
Not tried this personally, but if you use Quest Powershell Addin (http://www.quest.com/powershell/activeroles-server.aspx) you should be able to use the following commands to find and unset the lack of inherited permissions:
Find:
Get-QADUser -SizeLimit 0 | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected}
Find and Check:
Get-QADUser -SizeLimit 0 | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnlockInheritance
Source:
http://dmitrysotnikov.wordpress.com/category/oneliner/page/2/
Thanks a Lot MATE…..It was a great help from you…….Much appreciate it.
You are an absolute star!! God bless you for putting this on a blog It totally solved my last long problem that I have spent days on.
This and other things with 2010 from 2003 conversion been driving me nuts. Finally have all working like should. Users on my back for days wanting email on there phones.So you know how happy I am right now.
Thanks a million.
Hi Nigel – I think I have an inkling of how happy you are 😉
Glad it helped you.
Alan
Hi Alan,
Thanks for the post. Weird thing: domain users using iPhones could not get it working. Domain admins definitely were not working. Domain users already had that setting clicked on. Domain admins had to be clicked on. Once a domain admin was clicked on, however, it “woke” up the connection to the domain users… Very strange. But you saved us weeks of tweaking!
Thanks,
JP
[…] Alan Hardisty’s Blog vor 1 Minute von Link in Exchange | Folge der Unterhaltung und abonniere den […]
Thank you very much!
You are welcome Yuriy.
Alan
Great! Worked for me. I am interested in what inherited permission(s) it is that fixed it and why.
I’m not exactly sure which permissions or combination is required to make Activesync happy as I haven’t sat down and compared one without the permissions and then added the missing ones manually, but if I get a chance to check it out, I will.
Alan
I’m “assuming” this is my problem as well but with a twist. Works for users except the boss who as some point in the past was added to the administrators group. I removed him from the group but his user account still can’t connect to activesync. Is there some flag not cleared on his AD account that it still thinks he’s in the administrators group?
Hi Chris,
Once removed from the group, have you checked the inherited permissions and possibly removed and re-added the inheritance tick?
Alan
Just to make sure I did it right. He’s been removed from the administrators group for a day now, I went into his AD account, security, adv, unchecked inherited permissions, apply, ok. then a couple minites later re-added inherited permissions.
no change, I’m using the MS exchange connectivity page to test it. stii failed on the OPTIONS command with a 401. All other users work fine. I really hope I don’t to dump his account and make him a new one.
Could be AD replication, I’ll force AD update to see if that helps.
I still don’t understand the ‘why’ behind this. What does the ‘inherit permissions’ add to the account that gets ActiveSync working exactly?
[…] […]
Brilliant Article, thank you for saving me many possible months and not having to go as far as deleting use accounts as a last resort.
Hi Tim,
You are most welcome. Thanks for your comments too – they are always appreciated.
Best wishes
Alan
Glad i found this article. Helped a lot fixing those nasty Exchange errors.
Edward
This was exactly my problem. Thanks a bunch.
Thank you very much for posting this! This fixed our issue as well.
Thank you very much for your valuable instructions and it worked for me.