You are experiencing problems with certain users connecting a mobile device
to the Exchange Server using ActiveSync, after checking all of the usual things
such as Mobile Device associations from the ECP, and if ActiveSync is enabled
for the users. After checking the event logs on one of the Exchange Client
Access Servers (CAS) under the Application Log the event "Event ID 1053
Exchange ActiveSync doesn't have sufficient permissions to create the
"CN" container under Active Directory use "Active Directory
operation failed on dc.domain.local. This error is not retrial. Additional
information: Access is denied". is present stating the user you cannot
connect to Exchange.
There is a Microsoft known-issue fix for this but although this fix is similar doing exactly what this document stated did not fix the issue for me http://support.microsoft.com/kb/2579075
The first step was to look at the Security Permissions on one of the
effected users objects. I always enable the Advanced Features view from the
Active Directory Users and Computers MMC.
Then do a search for the user object and open the Properties, click on the
Security tab and click on the Exchange Servers security principal. When I first
did this only "Read Exchange Information" and "Read Exchange
Personal Information" was Allowed in the entire list.
To test this was causing my issue I gave the Exchange Servers principal Full
Control over the object. Although I do not normally like to grant explicit Full
Control to anything I was hesitant but since it's the Exchange Servers security
principal I could not see any reason why not to.
