MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Permissions model for helpdesk to Enable Exchange ActiveSync

This article outlines the steps to enable an Active Directory group with permissions to Enable/Disable Exchange ActiveSync from Active Directory Users and Computers

If your organization has a policy in place to enable users for Exchange ActiveSync only with approval, your helpdesk team should have the ability to Enable/Disable the feature. This feature is normally only available with Exchange admin permissions.

With Exchange 2010 the story is different with RBAC in place. You can create a custom management role and assign EAS permissions.

The attribute responsible for EAS feature is ““msExchOMAAdminWirelessEnable”

 

You can read more here:

Troubleshooting Exchange ActiveSync and reading IIS logs: http://msexchangeguru.com/2012/02/01/exchange-activesync/

  1. Create an AD Group called “EASMobileEnableGroup”
  2. Add “EASMobileEnableGroup” to “Exchange View Only Administrators” group
  3. Add your helpdesk users as a member of the group
  4. Right click on the domain level/OU level where you want to delegate permissions and select “Delegate Control” and on the next screen add “EASMobileEnableGroup” and click next

     


     

  5. Select Custom task


     

  6. Select “User objects”


     

  7. Select the Read and Write for attribute “msExchOMAAdminWirelessEnable”


Once these steps are completed, the helpdesk person should be added to the “EASMobileEnableGroup” and now he should be able to change the second option “User Initiated Synchronization” to Enabled or Disabled


Ideally, if this all set to enable, the attribute “msexchOMAAdminWirelessEnable“will be <not Set> in ADSIEdit.

If msexchOMAAdminWirelessEnable is set to 4, Option 1 and 3 enabled and Option 2 disabled

Ratish Nair
MVP Exchange
Team@ MSExchangeGuru

Keywords: Enable Exchange ActiveSync, Setup permissions for Exchange ActiveSync, helpdesk permissions to manage Exchange ActiveSync, Provide helpdesk users to enable activesync

7 Responses to “Permissions model for helpdesk to Enable Exchange ActiveSync”

  1. Anita Says:

    GREAT one- This is very handy 🙂

  2. Hari Says:

    I tried the above. but still helpdesk people not able to enable active sync permission.. Is it for Exchange 2003 or 2007?

  3. Ratish Sekhar Says:

    Should work for all

  4. Hari Says:

    I did the same which you mentioned above.. but still getting below error while trying to enable active sync on EMC 2007.

    “Access to address list services on all exchange 2007 servers has been denied”

    What would be the issue.. Any suggestion.? Pls.!!

  5. Hari Says:

    Hi Ratish,

    Any suggestion?

  6. Andrew Says:

    I am having the same issues with delegating this as Hari, I followed the steps but still getting “Access to address list services on all exchange 2007 servers has been denied” when trying to enabled/disable ActiveSync.

  7. Hari Says:

    Yes. It won’t work in EMC. but you can seperate GUI Tool to enable Active sync.

    Here is Quest powershell command to enable active sync
    Set-QADUser -Identity “SAMAccountName or Email address” -ObjectAttributes @{msExchOmaAdminWirelessEnable = 3 }

Leave a Reply

ad

Categories

Archives