Rights needed for AdminSD Holder Object for ActiveSync
With Exchange 2010, one of the ways to get ActiveSync to work for members of protected groups is to temporarily allow security permission inheritance for the user object and then configure ActiveSync before the permissions get turned back off. Although this works, fine, I am interested in the exact permissions missing on the AdminSD Holder, so that I can simply add those specific permissions to the object. This would make my life simpler, while still keeping the positive benefits of protected groups. Thanks! Brandon
December 7th, 2010 10:15am

Not sure what you mean by " exact permissions missing on the AdminSD Holder". Inheritance on protected groups is disabled hourly by the AdminSD Holder process and its that lack of inherited Exchange permissions that causes problems for members of those groups. Microsoft of course recommends that you do not mail-enable members of protected groups for this and other reasons. If you want to change which groups are protected by the AdminSD Holder process or enable inheritance on the adminSD Holder container or do other things to that object in general see: http://support.microsoft.com/kb/817433
Free Windows Admin Tool Kit Click here and download it now
December 21st, 2010 4:00pm

Brandon, I think I understand what you are asking. Instead of allowing the Inheritance to set the necessary permissions (the way Microsoft intended it), you wish to leave inheritance off, and set the permissions yourself. AFAIK these permissions aren't documented on any public site. I don't advise this unsupported method, but if you were to go about it anyway, all you would have to do is compare a working account with one where the adminCount attribute is 1. Mike Crowley Check out My Blog!
March 17th, 2011 9:42am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics