We recently migrated over to Exchange 2010 and are running in to a few permissions issues with our helpdesk personnel. The first is that although they have create and delete user object rights they are unable to delete a AD Account that had a Exchange mailbox account with a Activesync device on it. The active sync device creates a Container under the user object called ExchangeActiveSyncDevices and I cannot figure out what specific rights the help desk needs to be delegate delete right of that container and its objects. The second is even though they have ben granted the Exchange 2010 Recipient Management role they do not even see the option to "Enable Archive" on mailboxes they created. I think there must be some other role or right to be able to enable a user for the built-in archive mailbox. Would greatly appreciate any help. Thanks Rob

I figured out the Unable to create archive issue. It was a problem with this EMC tools but I still need help with the permissions to delete the AD Activesync CN. Thanks Rob

Hi, Hope these articles might help you. http://blog.nick.mackechnie.co.nz/post/2009/11/20/Exchange-2010-Active-Sync-Issue.aspx Thanks.Nagaraj N

Hi Robert, Any update for your issue? Regards! Gavin

I still have not been able to figure out this piece although I have been too busy to dig in to it further. The first is that although they have create and delete user object rights they are unable to delete a AD Account that had a Exchange mailbox account with a Activesync device on it. The active sync device creates a Container under the user object called ExchangeActiveSyncDevices and I cannot figure out what specific rights the help desk needs to be delegate delete right of that container and its objects. Any thoughts on it?

Hi Robert, Do you add other role or other cmdlet for the role group help desk? I would check what roles contained in the role group firstly follow below script: get-rolegroup "help desk" |ft roles And then I would check what cmdlets were contained in the roles follow below script: get-managementroleentry "rolename\*" That means we could confirm what cmdlet could be run by the useraccount which is a member of the role group help desk. And I have a little confused what you referred: "The active sync device creates a Container under the user object called ExchangeActiveSyncDevices and I cannot figure out what specific rights the help desk needs to be delegate delete right of that container and its objects." If you mean that the ExchanegActiveSyncDevices is a subfolder of the special mailbox, I would use the add-mailboxfolderpermission for the account which want to manage the special mailbox' mailboxfolder. And per my known, the member of the help desk could not new mailbox and delete the mailbox. Regards! Gavin