Exchange 2010 has increased the security levels once again. If you try to use ActiveSync with a user that is or ever has been part of any restricted groups (like domain admins), the account cannot be used via ActiveSync.
Naturally nobody uses email with an account that is a domain admin, right? ;) So it's not a problem.
If you want to use the account with ActiveSync, you must remove it from any restricted groups and then edit the account's security settings with ADSIedit. You need to enable the propagation of parent settings to the account.
And no, it's not enough that you just enable the propagation and not remove the user from the groups. If you don't, the permissions are removed after a while.