I have a OU (org. unit) we will call "Outside Contacts" containing Mail Contact objects for partners outside our organization. As there is a certain turnover from year to year, not to mention changes in email addresses, we would like to delegate management of this OU to a specially created group containing members who would be authorized to add, modify and delete contacts in this OU - and only in this OU. Options: Make them Exchange Recipient Administrators - but they could manage all kinds of Exchange objects, not just Mail Contacts in the Outside Contacts OU. Not acceptable. Delegate control of the OU to the group in question - but this concerns - EDIT by default - "User objects" : "Create, delete and manage user accounts" How will it affect Contact objects? It does not. Permissions are not inherited. ------------------------------------------ dsacls "ou=contacts,dc=contoso,dc=com" Don't know how to limit output to group in question so I'll snip from the mess that was produced: Allow CONTOSO\Contact Managers SPECIAL ACCESS for user CREATE CHILD Allow CONTOSO\Contact Managers SPECIAL ACCESS for user CREATE CHILD Inherited to user Allow CONTOSO\Contact Managers FULL CONTROL ---------------------------------------- For the permission "Create/Delete user objects" (Apply to this object and all child objects): - Nothing in Properties (perhaps because these permissions cannot apply to a OU). - Objects = Create user objects and Delete user objects For the permission "Full Control" (Apply to User ojects), well... everything is checked! Now, if I create a user, the permissions apply to the user (as expected). So, I change Create and Delete user objects to contact objects and... For Full Control, Apply to Contact objects. But this does not work. I logon as a member of Contact Managers and attempt to add some data in the Notes field of a contact: -------------------------------------------------------- Microsoft Exchange Error -------------------------------------------------------- The following error(s) occurred while saving changes: set-contact Failed Error: Access to the address list service on all Exchange 2007 servers has been denied. I attempt to change the email address of the user in question. Same error. I add Contact Managers group to the Exchange Recipient Admins group = all is well - OK. So how can I allow delegates to manage the Mail Contacts in the Outside contacts OU - and only in this OU? Can it be done?

Hi Le, From Technet, if you want to create a new contact, the account you use must be delegated the following: Exchange Recipient Administrator role Account Operator role for the applicable Active Directory containers http://technet.microsoft.com/en-us/library/aa997220(EXCHG.80).aspx Same to modify contact(Set-Mailcontact), the account you use must be delegated the following: Exchange Recipient Administrator role Maybe you can think of upgrading to Exchange 2010, it is easier to do it using new permission mode(RBAC) in Exchange 2010. Frank Wang

Hello Frank, In fact, I've found that assigning the Exchange Recipient Administrator role is enough (in my example above and on other occasions). What I am looking for is what MS offers in Active Directory - but what does not carry over into Exchange (2007 at least). And what's that? If I want a delegate to change user passwords across the entire enterprise, I could make them "Account Operator". But... If I want the delegate to change user passwords in the "Part Time Employees" OU (organizational unit) ONLY... and not, for example, the passwords of the CEO, CFO, CIO, etc., I can grant the delegate rights to that OU specifically (Part Time Employees). When I attempt to do this for Exchange Mail Contacts stored in a particular OU, even after making sure permissions apply to Contact Objects, it does not succeed (as described in my initial post). As for upgrading to Exchange 2010, I would like to know for a fact if the above is possible (what if I upgrade and the only way to achieve the goal is still to assign obscure Active Directory permissions manually, one by one, to the delegate?). From that perspective, the upgrade would not have been worth it For the time being though, an upgrade is not in the planning anyway. Thank you for the suggestions all the same.

Hi Le, You are right, if you are assigned the Exchange recipient administrator and delegated the permission in AD, you can manage the contact. Actually, even you are assigned the Exchange recipient administrator and Account admin, you cannot manage the account,either. Please see this KB: Account Operators group does not have the permission to create Contact objects http://support.microsoft.com/kb/555190/en-us Please try to delegate control on Contact Objects(Create a custom task to delegate). Similar post: http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/31a04f8a-10f2-4df4-8199-58cfba53d820 For Exchange 2010, you don't need to manually change permission in AD anymore. A simple example: if you just want to modify the contact(Set-Mailcontact) and deny to create a contact(New-MailContact), just make sure the Set-Mailcontact is included in a custom Role, then assign the role to the admin, after that, the admin can only modify the contact(no create). And you can also add a Scope to limit the objects admin can modify. This is new permission mode called RBAC.Frank Wang