ActiveSync users cannot synchronize an EAS device for the first time in an Exchange Server 2010 or Exchange Server 2013 environment

Article ID: 2579075 - View products that this article applies to.
Expand all | Collapse all

Symptoms

A user cannot synchronize a Microsoft Exchange ActiveSync (EAS) device for the first time.

When this issue occurs, the following event is logged in the Application log in Event Viewer:

Source: MSExchange ActiveSync
Event ID: 1053
Task Category: Configuration
Description:

Exchange ActiveSync doesn't have sufficient permissions to create the "CN=MailboxName,OU=OrganizationalUnitName,DC=domain,DC=suffix" container under Active Directory user "Active Directory operation failed on DOMAINCONTROLLER.domain.suffix. This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0".

Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

Back to the top | Give Feedback

Cause

This issue can occur if the Owner Rights security principal does not have Full Control permissions on the user account that is trying to synchronize the EAS device.
Back to the top | Give Feedback

Resolution

To work around this issue, assign the Exchange Servers group the right to change permissions against msExchActiveSyncDevices objects. To do this, follow these steps:
  1. Start Active Directory Users and Computers.
  2. Click View, and then click to enable Advanced Features.
  3. Right-click the object where you want to change the Exchange Server permissions, and then click Properties.

    Note You can change permissions against a user, an organizational unit, or a domain.
  4. On the Security tab, click Advanced.
  5. Click Add, type Exchange Servers, and then click OK.
  6. In the Apply to box, click Descendant msExchActiveSyncDevices objects.
  7. Under Permissions, click to enable Modify Permissions.
  8. Click OK three times.
Back to the top | Give Feedback

More information

The first time that a user tries to synchronize an EAS device, the Microsoft Exchange Server tries to create a container of the type msExchActiveSyncDevices under the user object in Active Directory Domain Services (AD DS). The Exchange Server then tries to change permissions on the container.

By default, the Exchange Server group has rights to Create and Delete msExchActiveSyncDevices objects. However, the Exchange Server group does not have rights to change permissions on msExchActiveSyncDevices. Instead, the rights are inherited from the Owner Rights security principal. By default, the Owner Rights security principal has Full Control permissions.

If the permissions for the Owner Rights security principal are changed, the issue that is described in the "Symptoms" section can occur. For example, this issue can occur if the Owner Rights security principal has Read permissions on msExchActiveSyncDevices objects.
Back to the top | Give Feedback

References

For more information about the Owner Rights security principal in AD DS, visit the following Microsoft TechNet website:
http://technet.microsoft.com/en-us/library/dd125370(WS.10).aspx
(http://technet.microsoft.com/en-us/library/dd125370(WS.10).aspx)
Back to the top | Give Feedback

Properties

Article ID: 2579075 - Last Review: October 25, 2012 - Revision: 3.0
Applies to
  • Microsoft Exchange Server 2010 Enterprise
  • Microsoft Exchange Server 2010 Standard
  • Microsoft Exchange Server 2013 Enterprise
  • Microsoft Exchange Server 2013 Standard
Keywords: 
kbsurveynew kbprb KB2579075
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top