Hi All,
I've just migrated from Exchange 2007 to 2010 and have come across the issue where my domain administrators aren't able to use ActiveSync. I understand this is expected behaviour due to the protection of user accounts who are members of privilaged security groups whose permissions are enforced from the AdminSDHolder object.
I agree that the whole SDPROP/ADminSDHolder feature is a good idea and I'm currently reviewing the option of creating dedicated (non day-to-day) accounts for domain administration duties.
In the meantime though I enabled inheritance on a domain admin account and were able to setup EAS on a WP7.5 device fully expecting it to stop working within the hour once the SDPROP mechinism had kicked in again. However, here I am nearly three hours later and the device is still synching, even though the inherited permissions for the account have indeed been removed automatically. Is this expected behaviour and does that mean that the permissions (described inKB2579075) are only required when the EAS device is initially setup?
Many thanks in advance.
Ross
