I thought I understood all this but clearly I'm confused... We want an admin account to be able to create new users and mailboxes , but only on a particular MB server or mailstore on that MB server. I've done this: - Created admin account - Given it Exchange View Only access to whole organization - Given it Exchange Administrator access to "MBSERVER1" - Made it a member of local Administrators group on "MBSERVER1" - Given it access to read and write Exchange attributes in the AD OU it is responsible for (This was done usign steps 1 to 3 of "Implementing a split permissions model" http://technet.microsoft.com/en-us/library/bb232100%28EXCHG.80%29.aspx ) The admin account can create users and mailboxes fine in this OU and on "MBSERVER1" but the problem is it can also create the mailboxes on other MB Servers in the Organization and we don't want this. Can anyone point me in the right direction please ? (Edit: Forgot to mention...this is on Exchange 2007 SP2 with RU5 installed, and W2K8 SP2 x64)

I'd say that you'd have to set an explicit deny for that group on the server(s) you don't want them to be able to create mailboxes on. However, I can see how that could cause some other issues.

Hi, Why don't you make the user as a Recipient administrator, who has got the permissions required. see the link for an overview of permission considerations: http://technet.microsoft.com/en-us/library/aa996881(v=exchg.80).aspx Regards from www.windowsadmin.info

Thanks for the suggestions. Giving them "Recipient Administrator" role would allow them to change Exchange properties for any user in the domain but we just want them to manage properties of the users under one OU only. I can't see anything in that article that mentions restricting mailbox creation permissions to one server or one store. It seems to me that any user is able to create a mailbox on any store in the Organization as long as they have Exhange ViewOnly permission for the organization and also have read and write permissions to the part of the AD where they create the user object, and if so then it seems that the permissions model is somewhat 'relaxed' and I need to find a way of restricting this. All I've managed to find is this http://us.generation-nt.com/answer/how-script-exchange-mailbox-store-permissions-help-117901211.html , where somebody is doing what I need to do and has set up some Deny ACLs on individual stores , but they didn't say exactly what ACLs those were. So I guess I'm looking for : Add-ADPermission <MailboxDB> <admin account> and some kind of Rights/Extended Rights to Deny ...