Exchange 2010 - ActiveSync for Domain Admins

Category: Tech
Posted by Andre Chambers on April 21st, 2010

We recently field tested Exchange 2010. Most of our feedback is extremely positive: the new OWA (now "Outlook Web App" instead of "Outlook Web Access") is slick and cross-browser compatible, and installation should pose no issues for those comfortable with Exchange 2007.

One complication that we did have was syncing up with mobile devices, which has really been complicated since the advent of RPC over HTTP/s (now "Outlook Anywhere"). We were having mixed success, noting that some users in seemingly identical configurations were able to get their mail on their phone, and others not so well.

It turns out that Domain Admins have additional restrictions on the security of their accounts, and sparing the technical details, Domain Admins lack the security context required to use ActiveSync remotely. There's no (easy) way to get around this -- we spent a bit of time, and none of the options were good ones. The best option is to create a separate account for Domain Admins, one without admin privileges for day-to-day activities, including e-mail, and the other for administering the domain. This is a best practice for security anyway (using regular accounts for day-to-day activities so that privileged accounts aren't compromised by viruses, workstations left unlocked, etc.), despite it being the rare administrator that admits it.