Resolve ActiveSync error “You have reached the maximum number of devices allowed in your device network” !!

Most of you must have spent at least some time trying to figure out issues related to ActiveSync feature of Microsoft Exchange Server. Recently, I had received a request to configure Exchange email for a user on his Iphone. The client infra has an Exchange 2010 SP1 server.

I received the below error when trying to configure the email on my mobile.


However, when troubleshooting using the Microsoft Ex RCA tool, no issues were reported. When the usual troubleshooting steps did not help me, executed the below shell command in Exchange Management Shell :



According to the value EASMaxDevices, only 10 ActiveSync devices are permitted to be connected to the network. This is actually the default setting with Exchange Server 2010 SP1.

So, in order to increase the number of devices the following command can be executed in EMS:

Set-ThrottlingPolicy –EASMaxDevices 40 –Identity DefaultThrottlingPolicy

The Identity value can be found out from the same command. In the above command we are increasing the number of ActiveSync devices to 40.

Once the above steps were performed, I was able to configure the mail box in my android phone.


Reference :


Troubleshooting Outlook Anywhere issues

Resolving Outlook Anywhere issues can some time be very tedious. The best tool you can use to troubleshoot or test Outlook Anywhere is Microsoft’s own Remote Connectivity Analyzer available at

The interface is shown below:


To test Outlook Anywhere, you can select the Outlook Connectivity option selected above and click Next.

On the next page fill the text boxes as shown in the below screenshot.

Note:- If you have configured Autodiscover for Exchange, select the ‘Use Autodiscover to detect server settings‘ option to automatically detect your server or otherwise select ‘Manually specify server settings‘ to provide the settings manually. Also, when providing the settings manually make sure that under Exchange Server mention the internal hostname of the Exchange Server. Specify the type of Authentication configured either Basic or NTLM.



The connectivity analyzer will now perform a series of tests. There will be a slight difference in the tests if you have selected to detect the server using Autodiscover or manual settings. For manual settings the tests will be in the order:

  1. Resolve the external hostname of the Exchange Server in DNS
  2. Check and confirm that TCP port 443 is listening and open
  3. Check the validity of the SSL certificate
  4. Check the IIS configuration for client certificate authentication
  5. Check the configured authentication mechanism eg: Basic, NTLM, Negotiate
  6. Check valid ports 6001, 6002, 6004 etc..

In case of Autodiscover, the tests will be:

  1. Test the Autodiscover URL, https://url:443/Autodiscover/Autodiscover.xml
  2. Resolve the external hostname of the Exchange Server in DNS
  3. Check and confirm that TCP port 443 is listening and open
  4. Test the autodiscover URL, https://url:443/Autodiscover/Autodiscover.xml
  5. Resolve autodiscover.servername in DNS
  6. Check the presence of SRV record in DNS
  7. Check the presence of autodiscover cname record in DNS… etc..

If the server configurations are correct you will receive a notification that ‘The Outlook Connectivity test completed successfully.‘ else a failure message will be reported with the exact error.

One of the error I received recently is as shown below:


Troubleshooting the Exchange Server :

  • In the Exchange Server, check and confirm that RPC over HTTP Proxy feature is installed


  • Confirm the presence of a valid SSL certificate, and the name of the certificate is similar to the external hostname configured for Outlook Anywhere



  • Check the authentication configured for Outlook Anywhere and confirm its the same from Exchange Management Shell and in IIS
  • Check and confirm that the RPC Proxy server uses the valid ports for RPC over HTTP. From registry editor, navigate to  HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\RPC\RPCPROXY.

Make sure the data in the ValidPorts key is as follows :


The NETBIOS name and FQDN of the exchange server is required in this area.


  • Check and confirm that the authentication configured for the RPC virtual directory is IIS. This should be same as the authentication type configured for Outlook Anywhere



Once the above settings are verified, you can test the Outlook Anywhere connection either by configuring Outlook on an external machine or by using Remote Connectivity Analyzer.

For steps to test Outlook Anywhere on your machine make use of this link .

In order to test Outlook Anywhere configuration from powershell use the command “get-outlookanywhere | fl” etc…


Reference :

User unable to reset password from Exchange 2010 OWA

Users may face error when trying to reset their mailbox password from OWA. The error reported will be “The password you entered doesn’t meet the minimum security requirements“, even-though you have used a complex password.


This can be resolved by making a small modification in your Domain Controller’s Default Domain Policy. By default, the ‘Minimum Password Age‘ policy will be set for 1 days. This should be changed to 0 days instead. Minimum password age actually determines the period of time (in days) that a password must be used before the user can change it.

Steps are:-

  1. Launch Group Policy Management [gpmc.msc]
  2. Select the Default Domain Policy and edit the same to obtain the Group Policy Management Editor
  3. Navigate to Computer Configuration -> Policies -> Windows Settings ->  Security Settings -> Account Policy -> Password Policy -> Minimum password age


  1. Change the number of days to 0 and save the settings
  2. Update the group policy

Now check and confirm from OWA that the password reset is successful.

Resolve error – “The local policy of this system does not permit you to logon interactively.”

Recently one of our client who has an SBS 2003 (also acts as a Domain Controller), faced an issue in logging to the server using the Administrator account. The following error was received “The local policy of this system does not permit you to logon interactively“.

This issue was resolved by removing the Administrator account from the Remote Operators group and from the Domain Power Users group.

Note that the Domain Power Users group will always be a member of the Remote Operators group, which should not be changed.


By default, the built-in Administrator in Windows SBS is a member of following groups:

  • Administrators
  • Domain Admins
  • Domain Users
  • Enterprise Admins
  • Group Policy Creator Owners
  • Mobile Users
  • Schema Admins


You might also notice the following error in event viewer:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: date
Time: time
Computer: computername
Logon Failure:
Reason: The user has not been granted the requested logon type at this machine
User Name: administrator
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computername
Caller User Name: computername$
Caller Domain: EXAMPLE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5828
Transited Services: –
Source Network Address:
Source Port: 0

Once, the Administrator user has been removed from the group log in to server and confirm.


Reference :