You are currently offline, waiting for your internet to reconnect

ActiveSync users cannot synchronize an EAS device for the first time in an Exchange Server environment

A user cannot synchronize a Microsoft Exchange ActiveSync (EAS) device for the first time.

When this issue occurs, the following event is logged in the Application log in Event Viewer:

Source: MSExchange ActiveSync
Event ID: 1053
Task Category: Configuration

Exchange ActiveSync doesn't have sufficient permissions to create the "CN=MailboxName,OU=OrganizationalUnitName,DC=domain,DC=suffix" container under Active Directory user "Active Directory operation failed on DOMAINCONTROLLER.domain.suffix. This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0".

Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

This issue can occur if the Owner Rights security principal does not have Full Control permissions on the user account that is trying to synchronize the EAS device.
To work around this issue, assign the Exchange Servers group the right to change permissions against msExchActiveSyncDevices objects. To do this, follow these steps:
  1. Start Active Directory Users and Computers.
  2. Click View, and then click to enable Advanced Features.
  3. Right-click the object where you want to change the Exchange Server permissions, and then click Properties.

    Note You can change permissions against a user, an organizational unit, or a domain.
  4. On the Security tab, click Advanced.
  5. Click Add, type Exchange Servers, and then click OK.
  6. In the Apply to box, click Descendant msExchActiveSyncDevices objects.
  7. Under Permissions, click to enable Modify Permissions.
  8. Click OK three times.
More information
The first time that a user tries to synchronize an EAS device, the Microsoft Exchange Server tries to create a container of the type msExchActiveSyncDevices under the user object in Active Directory Domain Services (AD DS). The Exchange Server then tries to change permissions on the container.

By default, the Exchange Server group has rights to Create and Delete msExchActiveSyncDevices objects. However, the Exchange Server group does not have rights to change permissions on msExchActiveSyncDevices. Instead, the rights are inherited from the Owner Rights security principal. By default, the Owner Rights security principal has Full Control permissions.

If the permissions for the Owner Rights security principal are changed, the issue that is described in the "Symptoms" section can occur. For example, this issue can occur if the Owner Rights security principal has Read permissions on msExchActiveSyncDevices objects.

The Troubleshoot ActiveSync with Exchange Server guided walkthrough helps troubleshoot the following issues:
  • Unable to create a profile on the device
  • Unable to connect to the server
  • Mail issues
  • Calendaring issues
  • Delays on device/CAS performance

For more information about the Owner Rights security principal in AD DS, visit the following Microsoft TechNet website:

Article ID: 2579075 - Last Review: 10/01/2015 07:11:00 - Revision: 5.0

Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2010 Standard, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard, Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition

  • kbsurveynew kbprb KB2579075