Monday, January 03, 2011

Exchange 2010 ActiveSync not function for Domain Admins user

I built a new domain with my own account as Domain Admin, and then after installing Exchange 2010 couldnt work out why every other user except me could access ActiveSync.

The issues turns out to be that AD membership of certain Admin "Protected Groups" turns off the inherited permissions on your AD account in the OU that you reside.

To check if Inheritance is disabled on your user account, Open AD Users and Computers -> View - Advanced Features, Locate the user account and click Properties, Security Tab and then Advanced. Make sure the check box for "Include inheritable permissions from this objects parent" is checked.

If it is the ActiveSync will work - HOWEVER only for about 60 minutes !

You will find the SPPROP process will clear the inheritable permissions for you after every 60 minutes ! - See This Technet Article for more on SDPROP and the issues with OU inherited security that this can bring.

So the only practicle answer is to have 2 accounts, one for email as a user account and one for administration. This is Microsoft recommended practice and detaild in this reference: Exchange ActiveSync Returned an HTTP 500 Error

No comments: