I am about to transition from Exchange 2003 to Exchange 2007. One major milestone is that my E2K3 org has separate administrative groups formultiple domain administrators. With the collapse of admin groups in Exchange 2007 I am faced with having to find a way to restore their "sandbox" level of security so that they cannot in essence affectaccount/setting in other domains.So this means the default security groups/rolesof Exchange 2007 (which are located only in the root domain it seems),except for Server Admin roleare going to be unacceptable.I have been searching for a solution for restoring the granular administrative functions that admin groups of E2K3 provided with only littlepiecemeal findings.Has anyone have a proven method to grant this sort of access /restrictions in Exchange 2007?

Have you seen these articles?;http://technet.microsoft.com/en-us/library/aa996881.aspx Permission Considerations http://technet.microsoft.com/en-us/library/bb232100.aspxPlanning and Implementing a Split Permissions ModelWhy would the default security groups be unacceptable?If I was looking to control access, I would look at the functions required and delegate the required AD perms by domain or OU and then give the required Exchange permissions by adding the user into the necesary Exchange security group.<br/><br/>As an examplehttp://technet.microsoft.com/en-us/library/aa998197.aspxHow to Create a Mailbox for a New UserPermissions Required:Exchange Recipient Administrator roleAccount Operator role for the applicable Active Directory containersBy delegating the Account Operator role at the domain or OU level, you can add someone to the Recpient Admin group, but they will only be able to create a new mailbox user in the domain they have the delegated rights in,. This can be applied to just about Exchange task.I actually find the Exch 2007 permission model much easier to manage as opposed to the 2003 model. ( And dont forget RBAC in 2010)

Thanks for the informative response!So if i understand you correctly; if the AD security prohibits an action on an object then being a member of the default Exchange roles would adhere to this restriction? I can understand this with the recipient admin role but what about the org admin role(the one I was referring to as unacceptable) whichallow configurationslike the MRM policies and Address List management. I assumed being a member of this group elevates the members ability to manage Exchange objects in the root domain beyond AD restrictions of the child domain.Part of my end goal is to allow child domain admins to manage only thecertain address lists andorganizational configurations that pertain to their domain only. Iam under the impression that the Org admin group wouldnot grant this type of granular restriction.

Correct, For those org level tasks like address list management, you wont be able to limit their permissions to their domain if you add them to the Exch Org Admin group. Of course, the address list is an org level object, so it makes sense in that regard.I would say its time to rethink your delegation model andgive Org Admin permissions to only those in your company that absolutely require it and givethe minimumperms to those in the other domains that only reallyneedthe ability to manage user accounts. If you absolutely need those other admins to perform org-level tasks, but do not want to grant them org perms, then think about 3rd party products or perhaps a web-based interface that leverages a service account that has org level perms.Good info here:http://msexchangeteam.com/archive/2007/02/12/435171.aspxRecipient permission delegation in Exchange Server 2007