Allow ActiveSync to former domain administrator in Exchange 2010

activesyncexchange

So as you all know security provisions of Exchange Server 2010 and up prohibit active sync access for members of schema admins. Since domain admins are schema admins, members of domain admins can't have active sync access. I have a user who, when he was head of networking department, gave his account domain admin membership. Now he moved to programming only and wants to have his emails on his phone. I removed him from any and all administrative group but active sync still doesn't work for him. Last thing I want to do is recreate his mailbox.

Best Answer

This is usually resolved by setting the inheritable permissions flag on the user in question.

Under ADUC, go to View -> Advanced Features to expose the Security tab under the user's profile dialog.

Return to the user's settings in ADUC and choose the Security tab.

Click on Advanced ensure that "Include Inheritable Permissions From This Object’s Parent" is checked. Click OK a couple of times and exit.

Try running the ActiveSync again.

You'll also see this if you run the tests at: https://testconnectivity.microsoft.com

Best Answer

Related Solutions

Exchange Server 2010 ActiveSync SSL Certificate Problem

Exchange 2010 EVENT ID 1109, msexchange activesync

Related Topic