Users Are Unable to Use Activesync After Migration from Exchange 2007 to Exchange 2010

Written by on
ActiveSync, exchange 2007, Exchange 2010, Threat Management Gateway

 

At a recent customer, we ran into an issue where a set of users were migrated from Exchange 2007 to Exchange 2010.  All of the users activesync worked without issue, but one user was unable to connect.  No matter what we tried, he would get”unable to connect to server” on his phone.  We checked the activesync logs, would see an initial connection but then nothing else.

Checking the event logs of one of the CAS servers, we found error event ID 1053: “Exchange Activesync doesn’t have sufficient permissions to create the container under Active Directory User”Untitled

So I opened Active Directory Users and Computers, selected View-Advanced Features:

image

Then I opened the user account, went to to the security tab->;Advanced:

23

Here, the “Include inheritable permissions from this objects parent” was UNCHECKED:

admin

I checked this box, hit apply, and boom active sync started working. Since this account was not a domain admin and just a standard user account, this was unexpected.

Comments;

  1. Tony

    This also happens with special “admin” groups such as account operations, print operators, etc – If the user is in one of these group deemed “admin” by Microsoft. Exchange will continually remove the inheritance check box every so often (maybe every hour), but it is only needed during the first ActiveSync communication.

    1. ponzekap2 Post author

      Your right Tony! I should have stated that this account wasn’t protected but a regular user account so it was unexpected.

Comments are closed.