After completing Exchange 2007 to Exchange 2010 migration, couple of users stopped receiving emails on their mobile devices. iPhone would go through account verification successfully, but when trying to pull actual emails would show an error "connection to the server failed"
Exchange client access server application logs were recording following error:
Source: MSExchange ActiveSync
Even ID: 1053
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=[user name],OU=[User OU],DC=[domain],DC=com" container under Active Directory user "Active Directory operation failed on [DC server name]. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
This seems to be happening because inheritable permissions are disabled for the user (which is normal for domain admins). It doesn't affect all such users and looks like a bug.
Open user account properties in Active Directory Users and Computers, change to Security tab > Advanced - check Include inheritable permissions from this object's parents.
Inheritance will probably be removed by Active Directory again, but in my experience this didn't cause any issues one initial synchronization is completed.