Exchange ActiveSync doesn't have sufficient permissions to create the "CN=MailboxName,OU=OrganizationalUnitName,DC=domain,DC=suffix" container under Active Directory user "Active Directory operation failed on DOMAINCONTROLLER.domain.suffix. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.
This issue can occur if the Owner Rights security principal does not have Full Control permissions on the user account that is trying to synchronize the EAS device.
To work around this issue, assign the Exchange Servers group the right to change permissions against msExchActiveSyncDevices objects. To do this, follow these steps:
Start Active Directory Users and Computers.
Click View, and then click to enable Advanced Features.
Right-click the object where you want to change the Exchange Server permissions, and then click Properties.
Note You can change permissions against a user, an organizational unit, or a domain.
On the Security tab, click Advanced.
Click Add, type Exchange Servers, and then click OK.
In the Apply to box, click Descendant msExchActiveSyncDevices objects.
Under Permissions, click to enable Modify Permissions.
Click OK three times.
The first time that a user tries to synchronize an EAS device, the Microsoft Exchange Server tries to create a container of the type msExchActiveSyncDevices under the user object in Active Directory Domain Services (AD DS). The Exchange Server then tries to change permissions on the container.
By default, the Exchange Server group has rights to Create and Delete msExchActiveSyncDevices objects. However, the Exchange Server group does not have rights to change permissions on msExchActiveSyncDevices. Instead, the rights are inherited from the Owner Rights security principal. By default, the Owner Rights security principal has Full Control permissions.
If the permissions for the Owner Rights security principal are changed, the issue that is described in the "Symptoms" section can occur. For example, this issue can occur if the Owner Rights security principal has Read permissions on msExchActiveSyncDevices objects.
Microsoft Exchange Server 2010 Enterprise, Microsoft Exchange Server 2010 Standard, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard, Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition