Monday, July 30, 2012

Exchange 2010 Activesync And Deletion Of Accounts

We recently moved to exchange 2010 from 2007 (and from 2003 before that, and who knows previous to that...)

We had two issues that for some reason only impacted certain accounts, but the cause/fix was the same for both.

Issues one, some users could not sync their mobile devices.  Activesync and the clients appeared to be configured correctly.  No errors were generated on the mobile devices, but no mail would flow.

Second issue.  Certain AD accounts could not be deleted.  Attempting to remove them would produce an error indicating a child object of the account was set to prevent accidental deletion.  

In Active Directory Users And Computers, we set the view to show "Users, Contacts, and Groups as containers"  and we could see that the users in question had a subfolder labeled "ExchangeActiveSyncDevices" and within that was a msActivesync device entry.

This entry is what could not be deleted.

Both of these problems were rectified by selecting the user, going to security, advanced and checking "include inheritable permissions from this object's parent"

We only had a few users who were set "incorrectly", and there appears to be no discernible pattern as to which users were correct, and which weren't.  So that's a bit odd to me, but setting the inheritance fixed the issues for us, so we're happy.

Kudos to THIS which helped us sniff out the fix.

No comments: