Exchange ActiveSync Not Working for Some Users “Post Migration”

KB ID 0000695

Problem

Error seen on some users on both Exchange 2007 and 2010, (post migration) form earlier versions of Exchange. When it fails you will also see this error.

Event ID 1053 Exchange

Event ID 1053 MSExchange ActiveSync

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN={User Name},OU=<OU Name>,DC={Domain Name},DC=com” container under Active Directory user “Active Directory operation failed on servername.domain-name.com This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Make sure the user has inherited permission granted to domainExchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.

Solution

Note: This can happen if the user is a member of any of these groups.

Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators

If your user IS a member of any of these groups, then have their ActiveSync device ready to be configured, as this fix will “revert” back every hour. If you get it connected and working before it reverts you will be fine.

Note: Users and mailbox’s created post migration are NOT affected.

1. On your Exchange Server > Launch the Exchange Management Console > Server Configuration > Select your CAS Server > Properties > Security Settings > Locate the DC that it is using.

Locate Exchange Domain Controller

2. Go the that Domain Controller, and press Windows Key+R > dsa.msc {enter} > Active Directory Users and Computers should open.

3. View > Ensure Advanced Features is enabled > Locate the problem user > Properties > Security > Advanced > Ensure Exchange Servers is present > Tick the box to “Allow inheritable permissions from this objects parent” > Apply.

Allow inheritable permissions

4. Now attempt to connect your ActiveSync client.

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On