Wednesday, 28 October 2015

Unable to sync phone to Exchange

If you've been following my blog for the last few weeks you'll have heard me talk about the Exchange 2013 migration project I've been working on.  Well we hit another snag in the migration the other day around the users mobile phones not syncing to the new mailbox server after moving to Exchange 2013.

At first we thought it was just one or two users but it transpired that over 80 users were affected!! After investigating whether or not ActiveSync was working as expected (it was) we turned our attention to looking at an issue within the users accounts.

It turned out that the 80 users were all a member of a protected group within Active Directory and weren't getting the correct permissions to sync their phones as per Microsoft's best practices.

In order to get to that stage I used some PowerShell queries which I thought were quite interesting so I'm sharing.

I used the following command to query Active Directory for all users that had the "AdminCount" attribute set to something greater than 0.  If set to 1 it indicates the user is either a member of a protected group or has been:


Import-Module ac* 
Get-ADuser -filter {admincount -gt 0} -Properties admincount -ResultSetSize $null | export-csv c:\\onyx\document.csv

To find out which groups within the Active Directory environment I was working in were considered a Protected Group I ran the following query:

Import-Module ac*
Get-ADgroup -LDAPFilter "(admincount=1)" | select name 

From there I was able to check the groups individually to see which ones contained, if any, the users that were having issues with their phones.  All the affected users were a member of the "Print Operators" group. Mystery solved!



No comments:

Post a Comment