Permissions model for helpdesk to Enable Exchange ActiveSync
This article outlines the steps to enable an Active Directory group with permissions to Enable/Disable Exchange ActiveSync from Active Directory Users and Computers
If your organization has a policy in place to enable users for Exchange ActiveSync only with approval, your helpdesk team should have the ability to Enable/Disable the feature. This feature is normally only available with Exchange admin permissions.
With Exchange 2010 the story is different with RBAC in place. You can create a custom management role and assign EAS permissions.
The attribute responsible for EAS feature is ““msExchOMAAdminWirelessEnable”
You can read more here:
Troubleshooting Exchange ActiveSync and reading IIS logs: http://msexchangeguru.com/2012/02/01/exchange-activesync/
- Create an AD Group called “EASMobileEnableGroup”
- Add “EASMobileEnableGroup” to “Exchange View Only Administrators” group
- Add your helpdesk users as a member of the group
Right click on the domain level/OU level where you want to delegate permissions and select “Delegate Control” and on the next screen add “EASMobileEnableGroup” and click next
Select Custom task
Select “User objects”
Select the Read and Write for attribute “msExchOMAAdminWirelessEnable”
Once these steps are completed, the helpdesk person should be added to the “EASMobileEnableGroup” and now he should be able to change the second option “User Initiated Synchronization” to Enabled or Disabled
Ideally, if this all set to enable, the attribute “msexchOMAAdminWirelessEnable“will be <not Set> in ADSIEdit.
If msexchOMAAdminWirelessEnable is set to 4, Option 1 and 3 enabled and Option 2 disabled
Keywords: Enable Exchange ActiveSync, Setup permissions for Exchange ActiveSync, helpdesk permissions to manage Exchange ActiveSync, Provide helpdesk users to enable activesync