Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  M365,AZURE,INTUNE Microsoft Exchange   Click on the Category button to get more articles regarding that product.

Exchange: Activesync 1053 Event, 4003 Error 2007/2010/2013/2016 Adminsholder

Posted by admin on 15.10.2021

Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_

We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

https://testconnectivity.microsoft.com/

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like “IISUSER” or Administrator.

Then we did see why.
If the user is member of the group “PRINT OPERATORS” this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:

Good explanation from John Pollicelli

https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

https://technet.microsoft.com/de-de/magazine/2009.09.sdadminholder.aspx

 

 

https://www.butsch.ch/post/Migrated-NT42000-users-are-unable-to-ActiveSync-with-Exchange-Code-0x85010014.aspx

https://www.butsch.ch/post/Exchange-2003-3e-2007-3e-2010-User-Move-Request-fails-ADMINCOUNT3d1-INSUFF_ACCESS_RIGHTS.aspx

Resolution:

FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.

 

The Red part below (RED-X)

Activesync Log from https://testconnectivity.microsoft.com/
 

  

blUh4pH%2b19L4b%2fRk6uRZ%2bwFDxipa3umOc5NWKd8j3WZE%2f1rztOVQr3A7yqhQbWsCubcT0xJwV4JpO6fVK4ruS7rFkPgTuafoTzZOwv5kvn2wZAkGBr1hGm6NGz8%2fo4vFol0hWLVSJE3%2fX78fmSReawv4CBVixAAzyTR%2bm65WPSw86qwPxjfVseQiOrJ9qzUR8%2bPztEYmDjqvAfiVSNT6ouXwZf8%2fIpLnSalOyvp6n73yvkLu9rfgOsaQxOzJAX1TueDMkuiGV1EsG6HEYy3lD0Mdxo40pRRBknDTp58DusHBvAN8ud7YydsWys9YscJ5Agm9F2a7b6qIT%2bZ%2frM9%2btPQRyan97mInwoRsp1cgvsaffQtFPq9%2b%2fUjmh5g4UMvjYsM%2fVzVR2Of0c43FBQRBOkBfuavQW%2fwf%2fpr8BtFs28meQ0AAA%3d%3d_S111_Error:ADOperationException1%3aActive+Directory+operation+failed+on+MUNWDC1.butsch.ch.+This+error+is+not+retriable.+Additional+information%3a+Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_Mbx:EXCHANGE2013BUTSCH.butsch.ch_Dc:MUNWDC1.butsch.ch_Throttle0_SBkOffD:L%2f-470_DBL7_DBS1_CmdHC-1477255686_TmRcv08:05:50.2747716_TmSt08:05:50.2747716_TmDASt08:05:50.4310224_TmPolSt08:05:50.4622759_TmExSt08:05:50.4935244_TmExFin08:05:50.9622794_TmFin08:05:51.0716528_TmCmpl08:06:10.27494_ActivityContextData:ActivityID%3d5eeffb0c-62d3-46fe-994c-X-DiagInfo: EXCHANGE2013BUTSCH

X-BEServer: EXCHANGE2013BUTSCH

Cache-Control: private

Content-Type: text/html; charset=utf-8

Set-Cookie: ClientId=IARSMT0ZIEEVVIXDSSW; expires=Thu, 18-May-2017 08:05:50 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-4456168801-1912567065-1745900225-5325=u56Lnp2ejJqBysnJysyZzJzSz5maztLLnZvO0sabnszSncrHms3JzZ7Jm8zIgYHNz87J0s/J0s7Iq8/Hxc/Jxc7P; expires=Fri, 17-Jun-2016 08:06:10 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

X-FEServer: EXCHANGE2013BUTSCH

 

Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter “(objectcategory=person)(samaccountname=*)(admincount=1)”

Es gibt eine einfache Möglichkeit, um festzustellen, welche Benutzer und Gruppen in Ihrer Domäne AdminSDHolder geschützt.Sie können Abfragen das Attribut AdminCount, um festzustellen, ob ein Objekt durch das AdminSDHolder-Objekt geschützt ist.Die folgenden Beispiele verwenden das ADFind.exe-Tool, das von Joeware gedownloadet werden kann.NET.

  • Suchen alle Objekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f “adminCount=1” DN

  • Suchen alle Benutzerobjekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f “(&(objectcategory=person)(objectclass=user)(admincount=1))” DN

  • Suchen alle Gruppen in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f “(&(objectclass=group)(admincount=1))” DN

    Hinweis: Ersetzen Sie in den vorherigen Beispielen, DC = Domain, DC = com mit dem definierten Namen Ihrer Domäne.


 Category published:  M365,AZURE,INTUNE Microsoft Exchange   Click on the Category button to get more articles regarding that product.

Related Post

M365, Intunes Company Portal 0x87D1041C when UWP assigned to user AND device

SMB over QUIC a OneDrive, Sharepoint replacement, SRV 2025?

16.07.2024, Problem Office 365 und shared Kalender MS EX814289

Template theme: Newsup by Themeansar (External Link, you will leave www.butsch.ch).