I'm newly in charge of a server with a small administrative team. We have a pretty basic setup - just a single Windows Server 2008 file server and an Exchange 2007 server in our domain. All of the IT staff has a superuser account that's a member of the Domain Admins group. We're definitely not doing anything new or complicated with the server's setup.However, my supervisor has requested that not all the staff be able to grant access to view another user's email account. I've found that the relevant permissions are related to Exchange Organization Admins versus Exchange Receipient Admins - some need to be one, some the other. However, I can't figure out where this is set. I tried tracing the group memberships for Domain Admins and Exchange Organization Admins, but I couldn't find where they related to each other. I'm hoping there's just something simple I'm overlooking - any idea what that might be? What would I have to change so that Domain Admins aren't automatically Exchange Organization Admins? It'd be easy enough to add them manually to the right group.

Ultimately what you need to do take everyone out of Domain Admins and grant them granular rights that enable them to do only the tasks they need to do, and keep them out of the OU that contains the Exchange permissions groups, and ensure that they don't have specifically granted rights to Exchange, that they get their rights strictly through gropus. You'll need to change the password for Domain Admins to something nobody (including you!) knows and stick it in a sealed envelope in a safe. (Two is better.) This will be a complicated task that will ultimately make your entire organization a lot more secure, if somewhat more complicated to manage.-- Ed Crowley MVP"There are seldom good technological solutions to behavioral problems.". "Rumbleroar" wrote in message news:7569bed6-603a-41fe-a6b9-fe5ca35c0979... I'm newly in charge of a server with a small administrative team. We have a pretty basic setup - just a single Windows Server 2008 file server and an Exchange 2007 server in our domain. All of the IT staff has a superuser account that's a member of the Domain Admins group. We're definitely not doing anything new or complicated with the server's setup.However, my supervisor has requested that not all the staff be able to grant access to view another user's email account. I've found that the relevant permissions are related to Exchange Organization Admins versus Exchange Receipient Admins - some need to be one, some the other. However, I can't figure out where this is set. I tried tracing the group memberships for Domain Admins and Exchange Organization Admins, but I couldn't find where they related to each other. I'm hoping there's just something simple I'm overlooking - any idea what that might be? What would I have to change so that Domain Admins aren't automatically Exchange Organization Admins? It'd be easy enough to add them manually to the right group. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."