Hello,I posted this on the end of another person's question, but it looks like they already had an answer, so I'm reposting here since my question is slightly different.I need to set up a domain user so that they can create, delete, rename, and change membership of the mail distribution lists in Active Directory without being able to create or change any other objects in the AD. We are running Windows Server 2003 Small Business Server. So far I've done the following:1) Set up a "Distribution List Admin" security group.2) Delegated permissions for the Distribution Groups OU to the new security group.3) Installed the Windows Server 2003 Administration Tools Pack on a Windows XP SP2 workstation.4) Created an MSC with just the Distribution Lists OU visible.4) Added a user account with normal priveleges to the Distribution List Admin security group.5) Logged onto the workstation with this user account and tested.Results:* I can add, remove, change any kind of object in the Distribution List OU, not just a distribution list. This is not exactly what I want happening. Don't want to be able to add users or computers here...* I am not able to admin or see the Exchange enabled part of the distribution list objects I create. I think I need to install the Exchange System Management Tools on the workstation also.* I have a bunch of admin tools on the workstation that I don't really want a user having on their system.My questions:1) What should I be doing to make this happen? Am I heading down the wrong path here?2) How do I install the admin tool that the user needs with a minimum of fuss?3) Is there any way not to have all the other admin tools on the system? As usual, we want the user to have as little access as is possible to do the task.4) How do I keep them from being able to create all kinds of objects in that OU? I really want them to only be able to create distribution lists.Thanks for the help!Bob

1. You need to be a little more specific with the control delegation. Check this stuff out: http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx 2. Push adminpak.msi via GPO. I've never been that worried about only installing what they need...if they don't have access to DNS, what harm is it for them to have the DNS mmc snap in installed. 3. See 2 4. You need to be more granular in your permissions, see post above. Manually/programatically assigning permissions gives you much more control than the delegation of control wizard.

That's pretty cool stuff! Thank you!One last question... Do you know if Microsoft has a download available for just the Exchange System Management Tools? The workstation I need to install on is remote and I either need to find the .msi installer somewhere on the server or pull it off the Small Business Server cd's.Thanks again!Bob

As far as I know, you have to install the exchange tools from the CD only (keep it on a network share!!!) If my previous post is what you were looking for please mark it as helpful so it'll help other folks find answers. Thanks!