Hello all and thanks in advance.
Exchange 2007 to 2013 co-existence. All email now routed (proxies) through 2013 server. For everyone, Outlook functional, OWA functional and for everyone else on the old server, EAS is functional. I only have three clients on the new server. Outlook and OWA are functional, EAS is not. Two of those accounts get the following message on the 2013 server:
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Name\, User,OU=Users-IT,DC=HALFF,DC=AD" container under Active Directory user "Active Directory operation failed on SRV05.HALFF.AD. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.
These two accounts are also part of several 'protected' security groups such as domain admins and or enterprise admins. I've seen this KB: http://support.microsoft.com/en-us/kb/2579075 One of these accounts is mine. Security for my user object is NOT inherited. I went to make the change in the article and it said 77 items were going to be changed. "Warning. The change you are about to make will result in 77 permissions being added to the access control list"
Is this normal for AD objects that are part of protected groups? What is the best way to get through this?
Thanks,
Willis
