4

So as you all know security provisions of Exchange Server 2010 and up prohibit active sync access for members of schema admins. Since domain admins are schema admins, members of domain admins can't have active sync access. I have a user who, when he was head of networking department, gave his account domain admin membership. Now he moved to programming only and wants to have his emails on his phone. I removed him from any and all administrative group but active sync still doesn't work for him. Last thing I want to do is recreate his mailbox.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
ArtK
  • 139
  • 1
  • 2
  • 6
  • What is happening when he tries to connect? Errors? – DanBig Aug 14 '14 at 16:14
  • 3
    This is one of the reasons why you should use a separate administrator account instead of giving admin privileges to you main account. – Zoredache Aug 14 '14 at 16:34
  • 1
    ArtK: Domain Admins are not by default members of Schema Admins. There should only be one account in Schema Admins, the builtin Administrator account. There is no reason to have any other account member of Schema Admins. – Greg Askew Aug 14 '14 at 17:08

1 Answers1

4

This is usually resolved by setting the inheritable permissions flag on the user in question.

Under ADUC, go to View -> Advanced Features to expose the Security tab under the user's profile dialog.

Return to the user's settings in ADUC and choose the Security tab.

Click on Advanced ensure that "Include Inheritable Permissions From This Object’s Parent" is checked. Click OK a couple of times and exit.

Try running the ActiveSync again.

You'll also see this if you run the tests at: https://testconnectivity.microsoft.com

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • This is it; I've run into this any number of times. The user will have to use ActiveSync within an hour or so of doing this, as the account still has admincount set on it (AdminSDHolder) and there's a process that will remove those permissions you just added. You can also reset that AD attribute, if the account is no longer in the sensitive group(s), and include inheritable permissions. – mfinni Aug 14 '14 at 17:09