We recently had a problem with one of our customers where a user was trying to set up a smartphone to sync emails but was getting a 0x86000C0A error when attempting to do so.
After some researching on the error we found that the user was a member of the Domain Admins group and any user that is a member of a protected security group will have problems when setting up syncs with smartphones. If the user is a member of any of the following groups then active sync may not work:
Read-only Domain Controllers
When we removed the user from the domain admins group we still could not set up the phone. The problem seemed to be related to the AdminSDHolder, more information about it can be found here:
What we did to resolve this issue was to go to AD Users and Computers, click the view menu and select Show Advanced Features. Open up the affected users properties and click on the Security tab. Click on the advanced button and make sure that ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.
After AD replication has occurred then the user should be able to set up their phones for sync.
If your user needs to have domain admin credentials or any of the roles that are in the list above then the best practise is to create another account for the user with the administration role that they require.