Activesync with Exchange 2013 does not work, ADMINSHOLDER or ADMINCOUNT Flag (an old bad friend)
ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_
Events:
We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.
https://testconnectivity.microsoft.com/
Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)
This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.
Then we did see why.
If the user is member of the group "PRINT OPERATORS" this will be the case.
So GPO, Activesync and many other things will not work. This has been mentioned here:
https://technet.microsoft.com/de-de/magazine/2009.09.sdadminholder.aspx
http://www.butsch.ch/post/Migrated-NT42000-users-are-unable-to-ActiveSync-with-Exchange-Code-0x85010014.aspx
http://www.butsch.ch/post/Exchange-2003-3e-2007-3e-2010-User-Move-Request-fails-ADMINCOUNT3d1-INSUFF_ACCESS_RIGHTS.aspx
Resolution:
FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.
Activesync Log from https://testconnectivity.microsoft.com/ |
| | | blUh4pH%2b19L4b%2fRk6uRZ%2bwFDxipa3umOc5NWKd8j3WZE%2f1rztOVQr3A7yqhQbWsCubcT0xJwV4JpO6fVK4ruS7rFkPgTuafoTzZOwv5kvn2wZAkGBr1hGm6NGz8%2fo4vFol0hWLVSJE3%2fX78fmSReawv4CBVixAAzyTR%2bm65WPSw86qwPxjfVseQiOrJ9qzUR8%2bPztEYmDjqvAfiVSNT6ouXwZf8%2fIpLnSalOyvp6n73yvkLu9rfgOsaQxOzJAX1TueDMkuiGV1EsG6HEYy3lD0Mdxo40pRRBknDTp58DusHBvAN8ud7YydsWys9YscJ5Agm9F2a7b6qIT%2bZ%2frM9%2btPQRyan97mInwoRsp1cgvsaffQtFPq9%2b%2fUjmh5g4UMvjYsM%2fVzVR2Of0c43FBQRBOkBfuavQW%2fwf%2fpr8BtFs28meQ0AAA%3d%3d_S111_Error:ADOperationException1%3aActive+Directory+operation+failed+on+MUNWDC1.butsch.ch.+This+error+is+not+retriable.+Additional+information%3a+Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_Mbx:EXCHANGE2013BUTSCH.butsch.ch_Dc:MUNWDC1.butsch.ch_Throttle0_SBkOffD:L%2f-470_DBL7_DBS1_CmdHC-1477255686_TmRcv08:05:50.2747716_TmSt08:05:50.2747716_TmDASt08:05:50.4310224_TmPolSt08:05:50.4622759_TmExSt08:05:50.4935244_TmExFin08:05:50.9622794_TmFin08:05:51.0716528_TmCmpl08:06:10.27494_ActivityContextData:ActivityID%3d5eeffb0c-62d3-46fe-994c-X-DiagInfo: EXCHANGE2013BUTSCH
X-BEServer: EXCHANGE2013BUTSCH
Cache-Control: private
Content-Type: text/html; charset=utf-8
Set-Cookie: ClientId=IARSMT0ZIEEVVIXDSSW; expires=Thu, 18-May-2017 08:05:50 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-4456168801-1912567065-1745900225-5325=u56Lnp2ejJqBysnJysyZzJzSz5maztLLnZvO0sabnszSncrHms3JzZ7Jm8zIgYHNz87J0s/J0s7Iq8/Hxc/Jxc7P; expires=Fri, 17-Jun-2016 08:06:10 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: EXCHANGE2013BUTSCH |
|
Get a list of all user who have such a behaviour:
Windows Server 2008R2, blaue Powershell aufmachen
Import-Module ActiveDirectory
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"
Solution:
REMOVE the ADMINCOUNT = 1 FLAG with ADSEDIT on DC
Change to <NOT SET> with CLEAR BUTTON on the account whjich has problems with IPHONE / ANDROID or any Activesync Device.
Open the User in ADUAC Console
Activesync should work now again
Important: You have 15 Minutes TO do both steps a) ADSEDIT b) And Security Inheritance correct.