Add ACL's to AdminSDHolder for Exchange 2010 ActiveSync

By default in Exchange 2010 any users protected by AdminSDHolder can't synchronize their mobile with ActiveSync. This is due to AdminSDHolder removing inheritance on security for user objects in sensitive groups (more information here).

If you for some reason would like to add the permissions to AdminSDHolder then the following script works:

REM This user permissions 
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /G "MYDOMAIN\Exchange Servers:CCDC;msExchActiveSyncDevices" 

REM Descendant msExchActiveSyncDevices objects
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /I:S /G "MYDOMAIN\Exchange Servers:LCRPWPRCWD;;msExchActiveSyncDevices" 
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /I:S /G "MYDOMAIN\Exchange Servers:CCDC;msExchActiveSyncDevice;msExchActiveSyncDevices" 

REM Descendant msExchActiveSyncDevice objects
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /I:S /G "MYDOMAIN\Exchange Servers:LCRPWPRCWD;;msExchActiveSyncDevice"
Tastes: , ,
Posted by RikardStrand at 14:17

No comments:

Post a Comment