One of my earlier Exchange 2010 deployments was at a client that had modified the default inheritance settings of Active Directory such that default security permissions did not apply to some Organizational Units (OUs). This prevented ActiveSync from creating necessary objects and setting necessary attributes to provision iPhones for these users against their Exchange 2010 mailboxes. Similar issues occur if you attempt to configure an ActiveSync device for a mailbox associated with a user that is a member of certain privileged groups within Active Directory (e.g. Domain Admins, Enterprise Admins, etc.).
To resolve this issue for the specific case at my client, we simply needed to enable inheritance on the OUs or users where it had previously been disabled.
Resolving this issue for members of privileged groups is a bit more complicated. Basically, the lack of inheritance is by design for users that are members of privileged AD groups. Every hour, a background process runs on domain controllers to apply the permissions assigned to the AdminSDHolder template object to all members of privileged groups. You can review the permissions that will be applied by launching Active Directory Users and Computers, enabling Advanced Features within the View menu, and then reviewing the security permissions of the AdminSDHolder object within the System OU.
The true solution is to provide administrators with separate administrative-only accounts (e.g. JohnAdmin.admin) that are members of the required AD groups and have these administrators use normal, non-privileged accounts (e.g. JohnAdmin) for e-mail functionality. In some environments, this may not be possible and, as a result, you have two workarounds. First, you could modify the permissions on the AdminSDHolder template object to include the required Exchange permissions. I don’t recommend this since you would be modifying a fairly important and engrained aspect of Active Directory for what should be a few isolated users. Instead, you could temporarily enable inheritance on your administrative users and, as long as you configure these users’ ActiveSync devices before the next application of AdminSDHolder permissions, it will work just fine. Once an ActiveSync device is provisioned for the user, these special Exchange permissions are no longer required.
For more information on AdminSDHolder, the associated default permissions, and instructions for modifying these permissions, please refer to http://policelli.com/blog/?p=136.
For more in my series on Exchange 2010 Notes from the Field, please click here.