.shape {;} p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:'Arial','sans-serif';} .MsoChpDefault {font-size:10.0pt;} @page Section1 {size:8.5in 11.0in;margin:1.0in 1.0in 1.0in 1.0in;} div.Section1 {page:Section1;} <!--[if !vml]-->Exchange 2007 (2) node CCR cluster with (1) CAS/HUB server and AD 2003.I have a secretary that does some administrative stuff for me. Update email address changes, make sure people are on the correct distribution lists, etc.... I have her set as an Exchange Recipient Administrator organization wide but everytime she tried to change a contacts' department or company info she gets an insufficient rights error. She's running Exchange 2007 tools on a Vista machine and using the Exchange Management Console.She can create/delete contacts, email addresses, distribution list memberships but can't make simple department name changes.---------------------------------------------Error:Active Directory operation failed on (domain controller). This error is no retriable. Additional information: Insufficient access rights to perfor the operation.Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0The user has insufficient access rights.-----------------------------------------------Any ideas?Eric C. .shape {;} p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:'Arial','sans-serif';} .MsoChpDefault {font-size:10.0pt;} @page Section1 {size:8.5in 11.0in;margin:1.0in 1.0in 1.0in 1.0in;} div.Section1 {page:Section1;} <!--[if !vml]--><!--[endif]-->

The secretary will need write access to those properties on contact objects. On user objects, by default, these permissions are grouped under Public Information, but not on contacts, so you'll have to set the write permissions individually for department and company attributes on contactobjects. Joseph Durnal

Are those permissions set in AD with AD Users and Computers or in Exchange Management Shell?Eric

I know you can do it withactive directoryusers and computers, but I've never done it with Exchange tools. I was thinking Add-ADPermission but I think you can only run that on users. Joseph Durnal

Hi Eric, It requires Account Operator permission also along with Exchange Recipient Admin Role to set the properties of contacts, check Set-Contact cmdlet information for further detail for permission required. Set-Contact http://technet.microsoft.com/en-us/library/bb124535.aspx But I wouldnt recommend you to give her Account Operator permission since it gives higher rights on objects, refer below FAQ about it for further detail on Account Operator permission issues. Exchange 2007 Permissions: Frequently Asked Questions http://technet.microsoft.com/en-us/library/bb310792.aspx Instead of Account Operator permission, you can give the read/write permission on the OU where contacts reside to Active Directory object attributes which is matching to company, department etc... Refer below article for further detail on how to find attributes and how to give permission with Add-ADPermissions Split Permissions Model Reference http://technet.microsoft.com/en-us/library/bb430782.aspx