Hello fellow geeks!
I'm kicking off this new blog with an issue that was a real nuisance, but was relatively easy to fix.
During a recent Exchange 2003 to 2010 migration, one of the users was getting an error on his Windows Phone 7 device. The error code that popped up on the phone on every sync attempt was 86000C09
We tested the following:
Different user on the same device: WORKED
Problem user on a different device: FAILED
Seemed to point (conclusively) at the user's account as the crux of the issue. This error can come up if a user has too many devices syncing, but he had no other phones. We verified that using the following command:
Get-ActiveSyncDeviceStatistics -Identity USERID
Turns out, it was the old familiar inheritable permissions issue in Active Directory. :-/ This user was not an admin, nor had he ever been one. HOWEVER, his account was cloned from an ex-admin user, so the unchecked box stayed unchecked. We checked the box and voila, data started flowing to his device(s).
Here's a refresher on enabling Inheritable permissions:
Open ADUC, and enable Advanced Features:
Then open properties and go to the Security tab for the user in question:
Click on Advanced, and the following screen should pop up:
Verify that "Include inheritable permissions from this object's parent" is *checked*.
You will notice that for certain users, this box keeps getting unchecked. This is normal behavior due to the inbuilt security of Active Directory. People that are in the following groups will have this flag altered by AD:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-Only Domain Controllers
Replicator
Schema Admins
Server Operators
Once the box is cheked, permissions will flow and the user will be set correctly. Even if the box is unchecked, they will function normally as they now has the proper permissions configured.
You need to perform this same excercise when enabling users for Lync, but that's another blog. :-)
-Chris