Your account in Microsoft Exchange Server does not have have permissions to synchronize with your current settings 0x85010004 or Eventid 1053 Exchange ActiveSync doesn’t have sufficient permissions to create the user container under Active Directory user "Active Directory operation failed on domain controller.

Error: Your account in Microsoft Exchange Server does not have have permissions to synchronize with your current settings.

Afb0021

Eventlog:
image

Exchange ActiveSync doesn’t have sufficient permissions to create the "CN=ward,OU=Users,DC=wardvissers,DC=local" container under Active Directory user "Active Directory operation failed on DC2008-03.ad.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn’t have any deny permissions that block such operations.

Because my account has domain admins rights the security settings will be reset every hour by
AdminSDHolder

Each Active Directory domain has an object called AdminSDHolder, which resides in the System container of the domain. The Admin-SDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups (what I like to call “protected” groups). Every hour, a background process called SDPROP runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the ACL lists aren’t the same, the ACL on the security principal is overwritten with the ACL from the Admin–SDHolder object. In addition, inheritance is disabled on the security principal.

Temporally Solution:

1. Active Directory Users and Computers

image
2. Enable Advanced Features
image
3. Search the User and go to the Security tab.

image
4. Advanced
image

5. Include Inheritable permissions from the Object’s parent
image

Source: Blog

Leave a Reply

Translate »