Hi there! Welcome to my blog. My name is Ivan. I am a Dutch IT Professional working as Principal IT Consultant. Exchange 2013 server is available for download. Last week I download the installation files and gave it try. I struggled with my first try due to my previous Exchange 2010 setup and I soon decided to start a new Active Directory domain. Having a fresh Windows domain and new installation of Exchange 2013 worked out.
I needed the learn and read some articles as the Management Console for Exchange disappeared and management is only available as a PowerShell command-line or over a virtual web ECP folder (Exchange Administration Center). In the end all went fine except the synchronization with my Windows Phone, iPhone and iPad. I had two accounts I was working with. One as a resource mailbox and another mailbox as my primary Exchange account. The synchronization of my resource mailbox worked fine, on my primary account it didn’t work.
I got the following error message in the Event Viewer. After seeing this MSExchange ActiveSync 1053 message I remember I had this before. The same message appeared during my Exchange 2010 server and fixed that with making some additional security setting on my windows account.
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=Ivan Versluis,CN=Users” container under Active Directory user “Active Directory operation failed on DC. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.
The whole problem starts with adding my account to “Domain Admins” group.
When adding a domain account to one the protected security groups like “Domain Admins, Enterprise Admins, etc”, the account will get a protected DACL (inheritable permissions turned off) and the attribute adminCount set to 1. The result is ending with insufficient permissions for Exchange server. I compared my primary mailbox with the resource mailbox and I see difference between those two:
When you compare the permissions assigned for the SELF security object you will see many checkboxes are missing on the account that is member of the “Domain Admins” group.
Solution:
Make sure none of accounts are member of the protected security groups for Active Directory management that are used for Active Sync. This is the root cause of the problem. If the account was member of any of these groups please follow the following steps the revert back to the original defaults:
Windows Account, Security, Advanced Security Settings and click “Restore Default” button. Go to the Attribute Editor and change adminCount attribute from 1 to 0.
The issue comes back also with Exchange 2013. Some years ago I run into the same problem with Exchange 2010. If I had applied best practice not to assign the domain admin group to my primary windows account then this would never happen. I hope this post will help others in some more details with some screen example where to look and what background it holds.
I am up and running with all my mobile devices :).
Johng509
Yeah bookmaking this wasn’t a risky conclusion outstanding post! degggecccacd