Domain Admins and ActiveSync
Exchange 2016 Activesync does not work for domain admin group members
By default members of an AD protected group like domain admins or enterprise admin cannot use Microsoft Activesync with a exchange 2016 server.
At first, I was thinking that we might try and create an AD Security Group called "ActiveSync" and then set those granular permissions that would be needed for ActiveSync, but it appears that Microsoft from 2010, to 2013, and finally 2016 is making it harder and harder to achieve.
I can argue this until the cows come home, but I am finally going with Microsoft Best Practice which is to create separate account with Domain Admin functions and a separate account that is a regular user for every day functions.
If you make the mistake of adding a user as Domain Admin, then you will need to undue the change.
Remove the user from Domain Admins, Schema Admins, and Enterprise Admins.
Under ADUC, go to
View -> Advanced Features to expose the Security tab under the user's profile dialog.
Return to the user's settings in ADUC and choose the
Security tab.
Click on
Advanced ensure that "Include Inheritable Permissions From This Object’s Parent" is checked. Click OK a couple of times and exit.
Try running the ActiveSync again.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.