Active Sync some users cannot set up smartphones

2017-12-01T11:11:06+00:00 March 15th, 2011|Exchange|

We recently had a problem with one of our customers where a user was trying to set up a smartphone to sync emails but was getting a 0x86000C0A error when attempting to do so.

After some researching on the error we found that the user was a member of the Domain Admins group and any user that is a member of a protected security group will have problems when setting up syncs with smartphones. If the user is a member of any of the following groups then active sync may not work:

Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators

When we removed the user from the domain admins group we still could not set up the phone. The problem seemed to be related to the AdminSDHolder, more information about it can be found here:

http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

 

Resolution

What we did to resolve this issue was to go to AD Users and Computers, click the view menu and select Show Advanced Features. Open up the affected users properties and click on the Security tab. Click on the advanced button and make sure that ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.

image

After AD replication has occurred then the user should be able to set up their phones for sync.

Note

If your user needs to have domain admin credentials or any of the roles that are in the list above then the best practise is to create another account for the user with the administration role that they require.