The most common cause for this is broken Access Control List (ACL) inheritance in Active Directory.
To check whether inheritance is disabled on the user:
1. Open Active Directory Users and Computers.
2. On the menu at the top of the console, click View > Advanced Features.
3. Locate and right-click the mailbox account in the console, and then click Properties.
4. Click the Security tab.
5. Click Advanced.
6. Make sure that the check box for “Include inheritable permissions from this object’s parent” is selected.
If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder object.
To work around this issue, assign the Exchange Servers group the right to change permissions against msExchActiveSyncDevices objects. To do this, follow these steps:
- Start Active Directory Users and Computers.
- Click View, and then click to enable Advanced Features.
- Right-click the object where you want to change the Exchange Server permissions, and then click Properties.
Note You can change permissions against a user, an organizational unit, or a domain.
- On the Security tab, click Advanced.
- Click Add, type Exchange Servers, and then click OK.
- In the Apply to box, click Descendant msExchActiveSyncDevices objects.
- Under Permissions, click to enable Modify Permissions.
- Click OK three times.