Hi There, From what I understand only Exchange Organization Administrators have permissions to change activesync policies. Which is fine at a global level but for some reason my helpdesk administrators (who are Recipient Administrators) cannot change the activesync policy for recipients from A to B. They always get the error "access to address list service on <server> was denied". I check the server and ensure the system attendant is started. I even restarted to check and still the error persist. Any help would be greatly appreciated. Thank you in advance.

Check this: http://technet.microsoft.com/en-us/library/aa996881(EXCHG.80).aspx Exchange Recipient Administrators Exchange Organization Administrators Exchange View-Only Administrators Full control of Exchange properties on Active Directory user object

Yes I am aware of the MS Article. None of which answer my question.

Hi, If you want your helpdesk(user or group) to change active sync policy for the ActiveSync Devices, you should assign the custom Management Role to the user or the Role Group. You need to do it thru RBAC role group. http://www.exchangedictionary.com/index.php/Articles/role-based-access-control-exchange-2010.html Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com

Hi ELoh, If you are running Exchange 2007 and want to change the activesync policy for users(or run the cmdlet Set-CasMailbox -ActiveSyncMailboxPolicy) , Exchange Recipient Adminstrator role also has the permission. Set-CASMailbox http://technet.microsoft.com/en-us/library/bb125264(EXCHG.80).aspx Please try to change the policy using EMS. And if the error still appears, please post the message here. Frank Wang

Hi Anil, Thanks for the information. Unfortunately we are using Exchange 2007.

Hi Frank, As per my initial note. Delegated users has Recipient Administrator permissions. Powershell is not currently an option as our helpdesk would not know how to use it correctly. NOTE: I have identify that this issue only occurs to some users and not others even though their AD security permissions are identical.

Hi Eloh, Do you mean helpdesk administrators can only modify some user's activesync policy, not all users? Please check whether there is any related error event in the Event Viewer. Please run the Exbpa to do a Permission Check. You can also try to run the setup /PrepareAD again. Frank Wang

In ADUC go to the root or OU, properties, security tab, click advanced tab, highlight the group edit, properties tab, make sure the group has read and write for msexchmobilemailboxpolicylink.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Thanks James, I will need to double check each line in the advanced tab. Does the Recipient Administrators group by default meant to have read / write access for mxexchangemobilemailboxpolicylink?

I don't see it having that when I check, there's lots of things that recipient admins can't do by default such as hiding user from GAL.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Sorry but none of these are actual answers. They maybe work arounds but doesn't resolve the problem.

Unless you can tell me why i need to PrepareAD, there is no justification for doing so. EXBPA permission check return 100% without errors.