One of the things that is not well documented is that in Exchange 2010, if you are member of the inbuilt administrators group then you will NOT be able to use ActiveSync to access your mail. If you do you will get the following error message “An HTTP 403 forbidden response was received. The response appears to have come from IIS7” if you look closely you will see the text “403 – Forbidden: Access is denied.” within it.
This issue affects all web based access to Exchange 2010 for members of any privileged group such as Administrators, Domain Admins, Enterprise Admins, or Schema Admins. MAPI based access is not restricted in this way at all – only web based access that means things like ActiveSync, OWA or OutlookAnywhere will be hit with this issue.
What this means is that Microsoft are reinforcing the fact that you should NOT be using your normal everyday user account to be a member of these high privilege groups. The solution is dead simple. Get the user out of those groups and into other groups. If the user needs to perform administrative functions on your server, then give them a seperate admin account to do that with. Don’t let them continue with lax security.
Leave a Reply