MSExchangeGuru.com

Learn Exchange the Guru way !!!

 
«
»

Permissions model for helpdesk to Enable Exchange ActiveSync

This article outlines the steps to enable an Active Directory group with permissions to Enable/Disable Exchange ActiveSync from Active Directory Users and Computers

If your organization has a policy in place to enable users for Exchange ActiveSync only with approval, your helpdesk team should have the ability to Enable/Disable the feature. This feature is normally only available with Exchange admin permissions.

With Exchange 2010 the story is different with RBAC in place. You can create a custom management role and assign EAS permissions.

The attribute responsible for EAS feature is ““msExchOMAAdminWirelessEnable”

 

You can read more here:

Troubleshooting Exchange ActiveSync and reading IIS logs: https://msexchangeguru.com/2012/02/01/exchange-activesync/

  1. Create an AD Group called “EASMobileEnableGroup”
  2. Add “EASMobileEnableGroup” to “Exchange View Only Administrators” group
  3. Add your helpdesk users as a member of the group
  4. Right click on the domain level/OU level where you want to delegate permissions and select “Delegate Control” and on the next screen add “EASMobileEnableGroup” and click next

     


     

  5. Select Custom task


     

  6. Select “User objects”


     

  7. Select the Read and Write for attribute “msExchOMAAdminWirelessEnable”


Once these steps are completed, the helpdesk person should be added to the “EASMobileEnableGroup” and now he should be able to change the second option “User Initiated Synchronization” to Enabled or Disabled


Ideally, if this all set to enable, the attribute “msexchOMAAdminWirelessEnable“will be <not Set> in ADSIEdit.

If msexchOMAAdminWirelessEnable is set to 4, Option 1 and 3 enabled and Option 2 disabled

Ratish Nair
MVP Exchange
Team@ MSExchangeGuru

Keywords: Enable Exchange ActiveSync, Setup permissions for Exchange ActiveSync, helpdesk permissions to manage Exchange ActiveSync, Provide helpdesk users to enable activesync

Posted June 8th, 2012 under Exchange 2007, Exchange ActiveSync, Exchange Tools. RSS 2.0 feed. Leave a response, or trackback.

7 Responses to “Permissions model for helpdesk to Enable Exchange ActiveSync”

  1. Anita Says:
    June 11th, 2012 at 4:29 am

    GREAT one- This is very handy 🙂

  2. Hari Says:
    October 21st, 2012 at 1:17 am

    I tried the above. but still helpdesk people not able to enable active sync permission.. Is it for Exchange 2003 or 2007?

  3. Ratish Sekhar Says:
    October 22nd, 2012 at 1:54 pm

    Should work for all

  4. Hari Says:
    October 30th, 2012 at 3:54 am

    I did the same which you mentioned above.. but still getting below error while trying to enable active sync on EMC 2007.

    “Access to address list services on all exchange 2007 servers has been denied”

    What would be the issue.. Any suggestion.? Pls.!!

  5. Hari Says:
    November 2nd, 2012 at 12:58 am

    Hi Ratish,

    Any suggestion?

  6. Andrew Says:
    March 6th, 2013 at 12:37 pm

    I am having the same issues with delegating this as Hari, I followed the steps but still getting “Access to address list services on all exchange 2007 servers has been denied” when trying to enabled/disable ActiveSync.

  7. Hari Says:
    July 28th, 2013 at 10:15 am

    Yes. It won’t work in EMC. but you can seperate GUI Tool to enable Active sync.

    Here is Quest powershell command to enable active sync
    Set-QADUser -Identity “SAMAccountName or Email address” -ObjectAttributes @{msExchOmaAdminWirelessEnable = 3 }

Leave a Reply

Categories

Archives

MSExchangeGuru.com