MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2016 – Active Sync inheritable permissions issue

There is a known issue regarding the EAS especially for the new users related to AD permissions, and you may discover it by checking iis logs and found the error like below example:


Also for the event viewer of exchange server you should find the event as following


The first time that a user tries to synchronize an EAS device, the Microsoft Exchange Server tries to create a container of the type msExchActiveSyncDevices under the user object in Active Directory Domain Services (AD DS). The Exchange Server then tries to change permissions on the container.

By default, the Exchange Server group has rights to create and delete msExchActiveSyncDevices objects. However, the Exchange Server group does not have rights to change permissions on msExchActiveSyncDevices. Instead, the rights are inherited from the Owner Rights security principal. By default, the Owner Rights security principal has Full Control permissions.

So this issue can occur if the Owner Rights security principal has Read permissions on msExchActiveSyncDevices objects.

There are two solution:

First solution is to add exchange server permissions to the target OU or users as following:

  • Start Active Directory Users and Computers.
  • Click View, and then click to enable Advanced Features.
  • Right-click the object where you want to change the Exchange Server permissions, and then click Properties.
  • On the Security tab, click Advanced.
  • Click Add, type Exchange Servers, and then click OK.
  • In the Apply to box, click Descendant msExchActiveSyncDevices objects.
  • Under Permissions, click to enable Modify Permissions.
  • Click OK three times

Second solution is to enable inheritance for the user permissions as following:

  • Open Active Directory Users and Computers.
  • On the menu at the top of the console, click View > Advanced Features.
  • Locate and right-click the mailbox account in the console, and then click Properties.
  • Click the Security tab.
  • Click Advanced.
  • Make sure that the check box for “Include inheritable permissions from this object’s parent” is selected.

Please note that if you are a Domain admin, most its likely to have inheritance disabled on your AD account. 

Ratish Nair

Microsoft MVP | Office Servers and Services

Team @MSExchangeGuru

Leave a Reply

Categories

Archives

MSExchangeGuru.com