Kaspersky Security Center

User's rights to manage Exchange ActiveSync mobile devices

July 22, 2024

ID 77974

To manage mobile devices running under the Exchange ActiveSync protocol with Microsoft Exchange Server 2010 or Microsoft Exchange Server 2013, make sure that the user is included in a role group for which the following commandlets are allowed to execute:

  • Get-CASMailbox
  • Set-CASMailbox
  • Remove-ActiveSyncDevice
  • Clear-ActiveSyncDevice
  • Get-ActiveSyncDeviceStatistics
  • Get-AcceptedDomain
  • Set-AdServerSettings
  • Get-ActiveSyncMailboxPolicy
  • New-ActiveSyncMailboxPolicy
  • Set-ActiveSyncMailboxPolicy
  • Remove-ActiveSyncMailboxPolicy

To manage mobile devices running under Exchange ActiveSync protocol with Microsoft Exchange Server 2007, make sure that the user has been granted administrator rights. If the rights have not been granted, execute the commandlets to assign the administrator rights to the user (see the table below).

Administrator rights required for managing Exchange ActiveSync mobile devices on Microsoft Exchange Server 2007





Branch "CN=Mobile Mailbox Policies,CN=Your Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=yourdomain"

Add-ADPermission -User <User or group name> -Identity "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericAll


Branch "CN= Your Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= yourdomain"

Add-ADPermission -User <User or group name> -Identity "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericRead


Properties msExchMobileMailboxPolicyLink and msExchOmaAdminWirelessEnable for objects in Active Directory

Add-ADPermission -User <User or group name> -Identity "DC=<Domain name>" -InheritanceType All -AccessRight ReadProperty,WriteProperty -Properties msExchMobileMailboxPolicyLink, msExchOmaAdminWirelessEnable


Mailbox repositories for ms-Exch-Store-Admin

Get-MailboxDatabase | Add-ADPermission -User <user or group name> -ExtendedRights ms-Exch-Store-Admin

For detailed information about how to use commandlets in Exchange Management Shell console, please refer to the Microsoft Exchange Server Technical Support website.

See also:

Scenario: Mobile Device Management deployment

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.