exchange 2010 mobile Sync "problem 4003 (INSUFF_ACCESS_RIGHTS) when you sync mobile device"
The first time that a user tries to synchronize an EAS device, the Microsoft Exchange Server tries to create a container of the type msExchActiveSyncDevices under the user object in Active Directory Domain Services (AD DS). The Exchange Server then tries to change permissions on the container.
By default, the Exchange Server group has rights to Create and Delete msExchActiveSyncDevices objects. However, the Exchange Server group does not have rights to change permissions on msExchActiveSyncDevices. Instead, the rights are inherited from the Owner Rights security principal. By default, the Owner Rights security principal has Full Control permissions
usually this should be resolved by following KB https://support.microsoft.com/kb/2579075
in some cases the above KB article doesn't solve the issue so we have to add the permissions at a higher level using dsacls as below
in my case I found the below permissions missing
Domain Name\Exchange Servers SPECIAL ACCESS for msExchActiveSyncDevices <Inherited from parent>
CREATE CHILD
DELETE CHILD
LIST CONTENTS
Dsacls “dc=contoso,dc=com” /I:S /G “Contoso\exchange servers:CCDC;msexchActiveSyncDevices;user”
Dsacls “dc=contoso,dc=com” /I:S /G “Contoso\exchange servers:LC;;user”
after that the user should be able to sync his mobile