We had an issue recently with an Exchange 2010 environment where a user couldn’t sync mail to their mobile devices via ActiveSync, whenever they tried to create an ActiveSync profile on the mobile device it just failed.
Whenever the user tried to create the ActiveSync profile the following error was logged on the Exchange Servers in the application log:
“Event ID: 1053
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Username,OU=Users,DC=domain,DC=Com” container under Active Directory user “Active Directory operation failed on DOMAINCONTROLLER.domain.suffix. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0″.
Make sure the user has inherited permission granted to domainExchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.”
To resolve this we had to the following
- Open AD Users and Computers
- Press View and select Advanced Features
- Do a find for the user in question
- Go to Properties > Security Tab
- Select Advanced
- Press add and type “Exchange Servers”
- Under Apply to, change to “Descendant msExchActiveSyncDevices objects”
- Select the Modify permissions checkbox
- Press Ok
After this change, ActiveSync kicked straight into life for the user J