Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)
ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_
We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.
https://testconnectivity.microsoft.com/
Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)
This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.
Then we did see why.
If the user is member of the group "PRINT OPERATORS" this will be the case.
So GPO, Activesync and many other things will not work. This has been mentioned here:
Good explanation from John Pollicelli
https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
https://technet.microsoft.com/de-de/magazine/2009.09.sdadminholder.aspx
http://www.butsch.ch/post/Migrated-NT42000-users-are-unable-to-ActiveSync-with-Exchange-Code-0x85010014.aspx
http://www.butsch.ch/post/Exchange-2003-3e-2007-3e-2010-User-Move-Request-fails-ADMINCOUNT3d1-INSUFF_ACCESS_RIGHTS.aspx
Resolution:
FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.
The Red part below (RED-X)
Activesync Log from https://testconnectivity.microsoft.com/ |
| | | blUh4pH%2b19L4b%2fRk6uRZ%2bwFDxipa3umOc5NWKd8j3WZE%2f1rztOVQr3A7yqhQbWsCubcT0xJwV4JpO6fVK4ruS7rFkPgTuafoTzZOwv5kvn2wZAkGBr1hGm6NGz8%2fo4vFol0hWLVSJE3%2fX78fmSReawv4CBVixAAzyTR%2bm65WPSw86qwPxjfVseQiOrJ9qzUR8%2bPztEYmDjqvAfiVSNT6ouXwZf8%2fIpLnSalOyvp6n73yvkLu9rfgOsaQxOzJAX1TueDMkuiGV1EsG6HEYy3lD0Mdxo40pRRBknDTp58DusHBvAN8ud7YydsWys9YscJ5Agm9F2a7b6qIT%2bZ%2frM9%2btPQRyan97mInwoRsp1cgvsaffQtFPq9%2b%2fUjmh5g4UMvjYsM%2fVzVR2Of0c43FBQRBOkBfuavQW%2fwf%2fpr8BtFs28meQ0AAA%3d%3d_S111_Error:ADOperationException1%3aActive+Directory+operation+failed+on+MUNWDC1.butsch.ch.+This+error+is+not+retriable.+Additional+information%3a+Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_Mbx:EXCHANGE2013BUTSCH.butsch.ch_Dc:MUNWDC1.butsch.ch_Throttle0_SBkOffD:L%2f-470_DBL7_DBS1_CmdHC-1477255686_TmRcv08:05:50.2747716_TmSt08:05:50.2747716_TmDASt08:05:50.4310224_TmPolSt08:05:50.4622759_TmExSt08:05:50.4935244_TmExFin08:05:50.9622794_TmFin08:05:51.0716528_TmCmpl08:06:10.27494_ActivityContextData:ActivityID%3d5eeffb0c-62d3-46fe-994c-X-DiagInfo: EXCHANGE2013BUTSCH
X-BEServer: EXCHANGE2013BUTSCH
Cache-Control: private
Content-Type: text/html; charset=utf-8
Set-Cookie: ClientId=IARSMT0ZIEEVVIXDSSW; expires=Thu, 18-May-2017 08:05:50 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-4456168801-1912567065-1745900225-5325=u56Lnp2ejJqBysnJysyZzJzSz5maztLLnZvO0sabnszSncrHms3JzZ7Jm8zIgYHNz87J0s/J0s7Iq8/Hxc/Jxc7P; expires=Fri, 17-Jun-2016 08:06:10 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: EXCHANGE2013BUTSCH |
|
Get a list of all user who have such a behaviour:
Windows Server 2008R2, blaue Powershell aufmachen
Import-Module ActiveDirectory
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
Es gibt eine einfache Möglichkeit, um festzustellen, welche Benutzer und Gruppen in Ihrer Domäne AdminSDHolder geschützt.Sie können Abfragen das Attribut AdminCount, um festzustellen, ob ein Objekt durch das AdminSDHolder-Objekt geschützt ist.Die folgenden Beispiele verwenden das ADFind.exe-Tool, das von Joeware gedownloadet werden kann.NET.
Suchen alle Objekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:
Adfind.exe -b DC=domain,DC=com -f "adminCount=1" DN
Suchen alle Benutzerobjekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:
Adfind.exe -b DC=domain,DC=com -f "(&(objectcategory=person)(objectclass=user)(admincount=1))" DN
Suchen alle Gruppen in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:
Adfind.exe -b DC=domain,DC=com -f "(&(objectclass=group)(admincount=1))" DN
Hinweis: Ersetzen Sie in den vorherigen Beispielen, DC = Domain, DC = com mit dem definierten Namen Ihrer Domäne.