Monday, October 06, 2014

ActiveSync and AdminSIDHolder

This one is an oldie but wanted to write a little bit about it here. Basically, mailboxes with Domain Admin privilege (and some other admin type group memberships) cannot initiate ActiveSync once their mailbox is moved from Exchange 2007 to 2013.

The following log entry is observed in Exchange 2013:

Log Name:      Application
Source:        MSExchange ActiveSync
Date:          6/10/2014 6:27:44 PM
Event ID:      1053
Task Category: Configuration
Level:         Error
Keywords:      Classic
User:          N/A
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=User Name,OU=IT,OU=Administration,DC=company,DC=com" container under Active Directory user "Active Directory operation failed on This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

Also, from exRCA:

Attempting the FolderSync command failed.
Exchange ActiveSync returned an HTTP 500 response (Internal Server Error)

There are two ways to fix this, either by passing security on AdminSIDHolder by granting the required ActiveSync permissions on it, or make the changes on every privileged user's (usually domain admin) AD account - but caveat is that the user might make the ActiveSync directory sync within the hour, or AdminSIDHolder will kick in the original settings again.

1. AdminSIDHolder "fix"/bypass -

REM This user permissions
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /G "MYDOMAIN\Exchange Servers:CCDC;msExchActiveSyncDevices"

REM Descendant msExchActiveSyncDevices objects
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /I:S /G "MYDOMAIN\Exchange Servers:LCRPWPRCWD;;msExchActiveSyncDevices"
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /I:S /G "MYDOMAIN\Exchange Servers:CCDC;msExchActiveSyncDevice;msExchActiveSyncDevices"

REM Descendant msExchActiveSyncDevice objects
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /I:S /G "MYDOMAIN\Exchange Servers:LCRPWPRCWD;;msExchActiveSyncDevice"

2. Per user setting - but be quick! Setup ActiveSync within the hour -

  • Launch ADUC and make sure Advanced View is enabled
  • Right-click the user account and go to Properties
  • Click the Security tab, then click Advanced
  • Check the Include inheritable permission.... checkbox
  • OK out of all the dialog boxes
  • Sync your device

No comments: