Thursday, December 20, 2012

Active Sync issue on Exchange 2010--Error 1053

Log Name: Application
Source: MSExchange ActiveSync
Date:12/17/2012 5:24:00 AM
Event ID: 1053
Task Category: Configuration
User:  N/A
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=testuser,OU=Test
OU,DC=abc,DC=com" container under Active Directory user "Active Directory operation failed on This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0".Make sure the user has inherited permission granted to domain\Exchange Servers to allow List,
Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any
deny permissions that block such operations.

Issue: This issue happens due to lack of Exchange server permissions on the user objects for the Active Sync to work. This issue is only with Active Sync and your mail flow works normally

Solution: To fix the issue, make sure “Exchange Server” Permissions are applied to all the users. Exchange server permissions should be always inherited from the root.  If the Exchange server is installed on Windows 2008, make sure you have “Descendant msExchActiveSyncDevices objects” permissions enabled on the root of the domain and they are inheritable to all OUs and user objects in them.

Descendant msExchActiveSyncDevices objects attribute should have the following permissions applied:
  • List contents
  • Read all properties
  • Write all properties
  • Read Permissoins
  • Modify Permissions
  • Modify Owner
  • Create activesync objects
  • Delete Activeync objects
Follow the below process to give the above permissions for a particular user:

  1.  Run Active Directory Users and Computers.
  2. Click on View and Select Advanced Features.
  3. Select a user account that isn’t working with Active Sync, double click on the account.
  4. Click the Security Tab and then the Advanced button.


  5. In the above step, make sure “Exchange Servers” is added in the user or group names. If exchange servers is not listed then proceed with next step or else jump to Step 7.


 6.       Select Exchange servers from Active Directory and click OK.

7.       Provide the required permissions as listed:
  • List contents
  • Read all properties
  • Write all properties
  • Read Permissoins
  • Modify Permissions
  • Modify Owner
  • Create msExchActiveSyncDevice object
  • Delete msExchActiveSyncDevice object

After providing the permissions click OK thrice.


This should fix the solution. The same process can be applied to apply the permissions on OU or on the root. Any permissions applied to root or OU should inherit the permissions to users in it.

If the issue still persists even after doing the above steps, then it may be problem that the permissions are not getting inherited by parent . In this scenario, preparing Ad is the only solution.

In my Scenario, i did the following steps that fixed the issue:
1) Update the schema
2) PrepareAD

Input Exchange Setup DVD in the dvdplayer. Open the command prompt and navigate to the dvd drive and give the following command:

G:\setup.exe /prepare schema or G:\setup.exe /ps

Once completed, run the below command:

G:\setup.exe /prepareAD or G:\setup.exe /p

Give sufficient time for the updates and replication between domain controllers and check for the Active Sync. It should start working.



  1. this also works with exchange 2013. WP and iOS synced via AS without issue, but this fix was needed to sync Android.

  2. The reason that this problem keeps happening on administrative accounts is because they get inheritance turned off on a regular basis. The permissions need to be changed on the System AdminSDHolder object. See for overview.