Hello The permissions on the Exchange Servers Security Group do not appear to be correct. I spent a long time troubleshooting why an iPad would just display the error "Cannot Get Mail: The Conneciton to the Server Failed" when trying to download mail from exchange. This was after installing the root CA certificate and configuring the account on the iPad which said it was successful. After further troubleshooting I was getting event 1008 in event viewer every time I tried to check for mail which said that the active directory operation failed (problem 4003 INSUFF_ACCESS_RIGHTS). This said that security settings could not be applied to the AD object. I checked the permissions of the Exchange Servers group again the user object and it only had: Read Exchange Information Read Exchange Personal Information After I set it to full control on both the user and the CN=ExchangeActiveSyncDevices (where it existed already) the iPad started to download email straight away (I tried some other combinations first which didn't work). I'm not sure how these permissions became messed up but please can someone tell me what permissions the Exchange Servers is supposed to have as I feel that assigning full control to user accounts is a bit insecure. Also are there any other permissions I should check which may cause problems in the future as well? Thanks RobinRobin Wilson

Hi Robin Exchange permissions on user objects flow from the domain object (e.g. DC=contoso,DC=com) downwards. If you have permissions inheritance blocked on any of the OUs between the domain object and the user object(s) then you will have problems with Exchange for those objects. Some objects are protected by the AdminSDHolder and these objects have permissions inheritance disabled and acquire the security descriptor associated with the AdminSDHolder object. In E2010 it is common to see problems with ActiveSync and objects protected by the AdminSDHolder. The recommendation from Microsoft is to not mailbox-enable any protected objects. Easier said than done if you already have this in place with, e.g. E2007. Alexei

Hi Robin Wilson, I have confirmed the configuration of mine, the default permission checked as below: Read Send to Read exchange informaiton Read excahnge personal information Read phone and mail options Please check those and make a test. Regards! Gavin