Поделиться через


exchange 2010 mobile Sync "problem 4003 (INSUFF_ACCESS_RIGHTS) when you sync mobile device"

The first time that a user tries to synchronize an EAS device, the Microsoft Exchange Server tries to create a container of the type msExchActiveSyncDevices under the user object in Active Directory Domain Services (AD DS). The Exchange Server then tries to change permissions on the container.

By default, the Exchange Server  group has rights to Create and Delete msExchActiveSyncDevices objects. However, the Exchange Server group does not have rights to change permissions on msExchActiveSyncDevices. Instead, the rights are inherited from  the Owner Rights security principal. By default, the Owner Rights security principal has Full Control permissions

 

usually this should be resolved by following KB https://support.microsoft.com/kb/2579075

 

 

in some cases the above KB article doesn't solve the issue so we have to add the permissions at a higher level using dsacls as below

 

in my case I found the below permissions missing

 

Domain Name\Exchange Servers    SPECIAL ACCESS for msExchActiveSyncDevices   <Inherited from parent>
                                     

                                      CREATE CHILD
                                      DELETE CHILD
                                      LIST CONTENTS

Dsacls “dc=contoso,dc=com” /I:S /G “Contoso\exchange servers:CCDC;msexchActiveSyncDevices;user”
Dsacls “dc=contoso,dc=com” /I:S /G “Contoso\exchange servers:LC;;user”

 after that the user should be able to sync his mobile