I think the real question you should be asking is why you have to apply these AD permissions in the first place. You shouldn't need to do anything to get ActiveSync going, it just works™.
What are you experiencing when your users try to sync with ActiveSync? Any specific error messages might be useful.
Some background on why this is happening
I am willing to bet the users are in (or have been in) a privileged group such as Domain Admins or Enterprise Admins (or have been copied from a user in a privileged group).
This is a security feature built into Active Directory to prevent users with delegated access to higher privileged accounts from removing administrative permissions from them (accidentally or otherwise).
If you look in ADSI Edit on the affected users, you'll probably find a property called adminCount which is set to 1. If the users are not in any privileged groups, you should be able to set this property to 0 and make permissions inherit, and they should stick. If the user is still in a privileged group, the adminCount flag will be reset every hour along with any permissions you may have set.
From memory, the privileged groups are Enterprise Admins, Domain Admins and Account Operators (though there may be a few more).
I've finally fixed this.
Interestingly Send-As is an AD permission - not an exchange permission as you might have expected.
Anyway, these are the steps:
Make the target mailbox "shareable" using this command in Powershell on your Exchange Server:
Set-Mailbox user1 -type:shared
If you get this error (same as in my first post):
You will need to find that user in AD and go to the properties >> Security >> Advanced:
You need to ENABLE the option to "Include inheritable permissions from this object's parent":
Once that is done you should be able to complete the folder share script.
Then actually grant the rights using this command:
Add-ADPermission user1 -User Ourdomain\User2 -ExtendedRights "Send As"
Hope that helps others who have the same problem.
Kieran
Best Answer
The issue was that by default a user can only connect to 10 ActiveSync devices, and this user had reached that limit.
Run the following commands in your Exchange management shell to correct the issue by removing unused devices. Replace
username
with the affected user's username, anddevice identity
with one of the devices returned from theGet-ActiveSyncDevice
command you wish to remove.If you actually do need more than 10 devices you can change the
EASMaxDevices
policy. Best practices is to keep the number low though. Use the commands bellow to set the number of devices to 20.