In Exchange 2007 I want a group of admins to be able to create mailboxes on only 1 store or server, but not on the other servers. Basically it will be a staging server to create new accounts and then we will move them around for load balancing. I don't plan on making them part of Exchange Recipient Administrators because they onlyneed to be able to manage recipients intheir own OUs. I've given them Exchange View-Only Admins membership and worked through http://technet.microsoft.com/en-us/library/bb232100.aspxwhich lets them create mailboxes anywherebut now I want to lock down the store or at least servers that they create the mailboxes on. Any ideas?

I do not believe this level of control is avaiable in Exchange 2007. You CAN restrict the OU in which they place the account by using the AD Delegation Wizard, but I dont know of any way to limit their power to only assigning a single server as a homemdb. Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator Read my 2 on the Psychology of a TechNet Forum Thread!

Hello, You could use the following steps to achieve this: 1. Create a new group, let's call it "restriction". 2. Add the administrator, let's call it "admin", into the group. 3. Open adsiedit.msc, locate at CN=Configuration/CN=Services/CN=Microsoft Exchange/CN=Name Of Exchange Org/CN=Administrative Groups/CN=Exchange Administrative Group (E2k7 Admin Group)/CN=Servers/CN=Name of E2k7 Server/CN=InformationStore/CN=Storage Group/CN=store 4. Right click the item and choose properties/Security tab. 5. Add the group "restriction" to the list and deny its read permission. After that, the user in that group can neither see the store nor creating new users on that store. Hope this helps. Thanks, Elvis

Thanks... this seems to be the path to go down. We will have many servers so instead of applying it on each one and making it part of the build, any thoughts about putting a Deny right on the servers container and letting it inherit down, reversing it with an explicit Allow on only the desired 'staging' server or store? If denying Read to that much stuff is too crazy,would Deny'ing View Information Store status do it?

Hi, As I mentioned above, you could add the admins into a group, and then deny the permission on one store for that group, all the admins in that group can't create new users on the specific store.