In order to get mobile email syncing to work in our Exchange 2010 / Server 2008R2 we have to go to the users account in AD, go to properties, security, advanced and select the top object which is an Exchange Servers permission with 'create msExchActiveSyncDevices o…' and the delete version of that in it.
Then on that object we tick 'include inheritable permissions from this objects parent'.
I will admit I don't have enough background knowledge of how this works, but we're experiencing an issue where this gets unticked randomly for some users, and they are then unable to sync their email.
Does this get revoked somehow if the user does something? Or does anyone know anything else about why it would be unticking itself? We have the latest updates installed for Exchange and Windows
Best Answer
I think the real question you should be asking is why you have to apply these AD permissions in the first place. You shouldn't need to do anything to get ActiveSync going, it just works™.
What are you experiencing when your users try to sync with ActiveSync? Any specific error messages might be useful.
Some background on why this is happening
I am willing to bet the users are in (or have been in) a privileged group such as Domain Admins or Enterprise Admins (or have been copied from a user in a privileged group).
This is a security feature built into Active Directory to prevent users with delegated access to higher privileged accounts from removing administrative permissions from them (accidentally or otherwise).
If you look in ADSI Edit on the affected users, you'll probably find a property called adminCount which is set to 1. If the users are not in any privileged groups, you should be able to set this property to 0 and make permissions inherit, and they should stick. If the user is still in a privileged group, the adminCount flag will be reset every hour along with any permissions you may have set.
From memory, the privileged groups are Enterprise Admins, Domain Admins and Account Operators (though there may be a few more).