Exchange ActiveSync doesn’t have sufficient permissions to create the "CN=ward,OU=Users,DC=wardvissers,DC=local" container under Active Directory user "Active Directory operation failed on DC2008-03.ad.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn’t have any deny permissions that block such operations.
Each Active Directory domain has an object called AdminSDHolder, which resides in the System container of the domain. The Admin-SDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups (what I like to call “protected” groups). Every hour, a background process called SDPROP runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the ACL lists aren’t the same, the ACL on the security principal is overwritten with the ACL from the Admin–SDHolder object. In addition, inheritance is disabled on the security principal.
1. Active Directory Users and Computers
2. Enable Advanced Features
3. Search the User and go to the Security tab.
5. Include Inheritable permissions from the Object’s parent