Account for Exchange ActiveSync service
When an Exchange Mobile Device Server is installed, an account is automatically created in Active Directory:
- On Microsoft Exchange Server (2010, 2013): KLMDM4ExchAdmin***** account with the KLMDM Role Group role.
- On Microsoft Exchange Server (2007): KLMDM4ExchAdmin***** account, a member of the KLMDM Secure Group security group.
The Exchange Mobile Device Server service runs under this account.
If you want to cancel the automatic generation of an account, you need to create a custom one with the following rights:
- When using Microsoft Exchange Server (2010, 2013), the account must be assigned a role that has been allowed to execute the following cmdlets:
- Get-CASMailbox
- Set-CASMailbox
- Remove-ActiveSyncDevice
- Clear-ActiveSyncDevice
- Get-ActiveSyncDeviceStatistics
- Get-AcceptedDomain
- Set-AdServerSettings
- Get-ActiveSyncMailboxPolicy
- New-ActiveSyncMailboxPolicy
- Set-ActiveSyncMailboxPolicy
- Remove-ActiveSyncMailboxPolicy
- When using a Microsoft Exchange Server (2007), the account must be granted the access rights to Active Directory objects (see the table below).
Access rights to Active Directory objects
Access
Object
Cmdlet
Full
Thread "CN=Mobile Mailbox Policies,CN=<
Organization name
>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name
>"Add-ADPermission -User <
User or group name
> -Identity "CN=Mobile Mailbox Policies,CN=<
Organization name
>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<
Domain name
>" -InheritanceType All -AccessRight GenericAll
Read
Thread "CN=<
Organization name
>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name
>"Add-ADPermission -User <
User or group name
> -Identity "CN=<
Organization name
>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<
Domain name
>" -InheritanceType All -AccessRight GenericRead
Read/write
Properties msExchMobileMailboxPolicyLink and msExchOmaAdminWirelessEnable for objects in Active Directory
Add-ADPermission -User <
User or group name
> -Identity "DC=<
Domain name
>" -InheritanceType All -AccessRight ReadProperty,WriteProperty -Properties msExchMobileMailboxPolicyLink, msExchOmaAdminWirelessEnable
Extended right ms-Exch-Store-Active
Mailbox repositories of Exchange server, thread "CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<
Organization name
>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name
>"Get-MailboxDatabase | Add-ADPermission -User <
User or group name
> -ExtendedRights ms-Exch-Store-Admin