No Email on iPhone or Droids

Exchange 2016 – Active Sync inheritable permissions issue

There is a known issue regarding the EAS especially for the new users related to AD permissions, and you may discover it by checking iis logs and found the error like below example:

y default, the Exchange Server group has rights to create and delete msExchActiveSyncDevices objects. However, the Exchange Server group does not have rights to change permissions on msExchActiveSyncDevices. Instead, the rights are inherited from the Owner Rights security principal. By default, the Owner Rights security principal has Full Control permissions.

So this issue can occur if the Owner Rights security principal has Read permissions on msExchActiveSyncDevices objects.

There are two solution:

First solution is to add exchange server permissions to the target OU or users as following:

• Start Active Directory Users and Computers.
• Click View, and then click to enable Advanced Features.
• Right-click the object where you want to change the Exchange Server permissions, and then click Properties.
• On the Security tab, click Advanced.
• Click Add, type Exchange Servers, and then click OK.
• In the Apply to box, click Descendant msExchActiveSyncDevices objects.
• Under Permissions, click to enable Modify Permissions.
• Click OK three times

Second solution is to enable inheritance for the user permissions as following:

• Open Active Directory Users and Computers.
• On the menu at the top of the console, click View > Advanced Features.
• Locate and right-click the mailbox account in the console, and then click Properties.
• Click the Security tab.
• Click Advanced.
• Make sure that the check box for “Include inheritable permissions from this object’s parent” is selected.

http://msexchangeguru.com/2018/01/23/active-sync-inheritable-permissions-issue/