In this article we will fix a problem we had with Exchange 2010 when synchronising mail on a mobile device using ActiveSync. When attempting the synchronisation we had the following error message (Source MSExchange ActiveSync, ID 1053) on the CAS server’s eventlog.
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=<user name>,OU=<OU Name>,DC=ldap389,DC=info” container under Active Directory user “Active Directory operation failed on <dc-name>.ldap389.info. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.
A possible resolution to solve this problem is given in this post, but in our case the allow inheritable permissions checkbox was already ticked on the account’s security tab. The problem occured because the account object class was InetOrgPerson and not user.
When you have a look at the permissions added by the Exchange 2010 schema extension described in this Technet article
you will notice that the msExchActiveSyncDevice object creation/deletion for “Exchange Servers” is allowed on accounts with the user class but not with the InetOrgPerson class. For other kinds of permissions both object classes are taken into consideration:
To fix the problem you just need to apply onto the InetOrgPerson objects the same permissions as the User objects:
You might want to apply this security setting on your entire domain (dc=ldap389,dc=info) if use of the InetOrgPerson class has become widespread.
Thanks to my colleague UtOpiK and the team working on the Exchange 2010 project for pointing this bug out.
Update 15/02/2013: Issue solved with Exchange 2010 SP3, there is a reference to this post in KB2552121 :-).
This post is also available in: French