Include inheritable permissions from this objects parent unticks itself - Server 2008R2 / Exchange 2010

windows-server-2008-r2 exchange-2010 mobile-devices
12,717

I think the real question you should be asking is why you have to apply these AD permissions in the first place. You shouldn't need to do anything to get ActiveSync going, it just works™.

What are you experiencing when your users try to sync with ActiveSync? Any specific error messages might be useful.

Some background on why this is happening

I am willing to bet the users are in (or have been in) a privileged group such as Domain Admins or Enterprise Admins (or have been copied from a user in a privileged group).

This is a security feature built into Active Directory to prevent users with delegated access to higher privileged accounts from removing administrative permissions from them (accidentally or otherwise).

If you look in ADSI Edit on the affected users, you'll probably find a property called adminCount which is set to 1. If the users are not in any privileged groups, you should be able to set this property to 0 and make permissions inherit, and they should stick. If the user is still in a privileged group, the adminCount flag will be reset every hour along with any permissions you may have set.

From memory, the privileged groups are Enterprise Admins, Domain Admins and Account Operators (though there may be a few more).

Share:
12,717
RodH257
Author by

RodH257

Updated on September 17, 2022

Comments

  • RodH257
    RodH257 almost 2 years

    In order to get mobile email syncing to work in our Exchange 2010 / Server 2008R2 we have to go to the users account in AD, go to properties, security, advanced and select the top object which is an Exchange Servers permission with 'create msExchActiveSyncDevices o...' and the delete version of that in it.

    Then on that object we tick 'include inheritable permissions from this objects parent'.

    I will admit I don't have enough background knowledge of how this works, but we're experiencing an issue where this gets unticked randomly for some users, and they are then unable to sync their email.

    Does this get revoked somehow if the user does something? Or does anyone know anything else about why it would be unticking itself? We have the latest updates installed for Exchange and Windows

    • Sam Cogan
      Sam Cogan over 13 years
      What are you using for your moble email sync? Exchanges bulit in feautures or a third party product? I'm not sure why it should get unticked, but this is not something you should need to do to get mobile email sync to work and I would suggest there is something wrong with your permissions if this is the case.
    • RodH257
      RodH257 over 13 years
      yeah just exchange built in synchronization, no 3rd party tools
  • Ben Pilbrow
    Ben Pilbrow over 13 years
    On iPhone and editing is a pain. Full list of privileged groups and a bit of a better explanation (if you care) here: msmvps.com/blogs/UlfBSimonWeidner/archive/2005/05/29/49659.a‌​spx
  • jscott
    jscott over 13 years
    +1 -- You're speaking of the AdminSDHolder object. This can cause snags when using the AD protected groups, as you mention.
  • Ben Pilbrow
    Ben Pilbrow over 13 years
    Indeed I am. I have first hand experience of this screwing up BlackBerry permissions and it's a nightmare. We had 1 user in the Account Operators group for a while who was then taken out of it. Years later and several new hires later (copied from this user) and we issue BlackBerry's to a load of people and some have mysterious problems all relating back to their permissions being reset by the AdminSDHolder thread because they were copied from a user who was once in a privileged group. It still gives me the heeby jeebys thinking about it.
  • RodH257
    RodH257 over 13 years
    Thanks guys, you are correct, this particular user was a domain admin (and probably should still be but I think the permissions have been dropped). I had a look at bens link, and had a look into editing the adminsdholder properties, but it would appear that it already has those specific exchange permissions set. I'm a bit out of my depth here, so I'm a bit cautious to change too much that I don't know about. What would you suggest be my next option? should I try that MS KB article?
  • Ben Pilbrow
    Ben Pilbrow over 13 years
    If that user isn't likely to be put back in a privileged group, you can use ADSI Edit to change the adminCount property on their account to 0 (be careful with ADSI Edit - it won't stop you from doing something stupid). Then tick the inherit permissions box and it should stay ticked. Not sure about Exchange 2010, but in 2003 you had to either bounce the Exchange Information Store or wait a few hours for Exchange to pick it up. In any case, you shouldn't have to mess with AD permissions to get activesync working, so I think something else is fundamentally wrong with your setup.
  • Ben Pilbrow
    Ben Pilbrow over 13 years
    @RodH257 - please see my edit regarding trying to fix the real problem.
  • Simon Catlin
    Simon Catlin over 13 years
    +1 - excellent post.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to Disable in bulk AD user account using excel
How to configure Exchange Server to receive emails from internet?
Exchange 2010 don't see its PDC (same machine)
How do I add a second domain in Exchange 2010 on Windows Server 2008 R2?
Password Changes and Exchange Activesync AD lockouts
Removing old Active Directory DNS records after IP change
Exchange 2010 Inbound SMTP mail | 421 4.4.1 Connection timed out
Exchange 2010 - EMC and OWA non-functional after unexpected server reboot
Change FQDN of Exchange 2010 server
Is there any need for Windows 2008 R2 Enterprise for an Exchange 2010 Enterprise server?