Hi, all. I'm having some issues with adjusting my Exchange 2003 thinking to that of 2010, and figured I'd ask for help in addition to bringing myself up to date through reading. What I'm having troubles with is that I can't create mailboxes. My understanding was that so long as the account wasn't in one of the elevated groups such as Domain Admins, and was a member of a role group such as Recipient Management everything should be fine, but experience has proven otherwise. As part of looking into why, I'm wondering whether the fact that the AD domain preparation which put the permissions model in place seems to have left our delegated model untouched has anything to do with this, because when managing the user objects through ADUC there's no issues with the delegated, non-priviliged account. Should the AD domain prep process have included the Exchange group security changes in our top level OU? Given that it hasn't, is there a way to run something analagous to a script so that I can instate those permissions? (Assuming that fact they're not there is even an issue) I can't set these permissions up manually, since neither ADUC nor ADSIEDIT display all the rights that have been set in some examples (ie an ACE will appear as having nothing set in the UI, which clearly isn't going to be the case behind the scenes), so if I'm not sure how to go about tackling this - assuming I even need to. Certainly, this process for the intermeditate Exchange 2007 server hasn't been a problem at all. But then, because it is in a migration domain, delegation hasn't been put in place there. Delegation only exists in the production domain (which doesn't not have Exchange at all) and the test domain (which is where the Exchange 2010 installation lives). The error I get is as follows, but it doesn't "appear" to be AD-related. I say "appear", because while I've used directory services auditing to check for directory access, I've only done so in the default naming context space, not in the configuration space (which I'll need to look at next). Summary: 1 item(s). 0 succeeded, 1 failed.Elapsed time: 00:00:00Lain RobertsonFailedError:Active Directory operation failed on dc01.test.mydomain.edu.au. This error is not retriable. Additional information: Insufficient access rights to perform the operation.Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0The user has insufficient access rights.Exchange Management Shell command attempted:Enable-Mailbox -Identity 'test.mydomain.edu.au/TopLevelOU/Staff/Users/Lain Robertson' -Alias 'lain.robertson'Elapsed Time: 00:00:00 (Some domain details changed purely for privacy reasons) As I say though, the account that I'm using to run the console has no problems fully administering accounts contained within this structure, so the only things I can think of are that it's an issue working with information under the configuration namespace (which it shouldn't be since the account is a member of Recipient Management) or it's a byproduct of the Exchange permissions not having been assigned to the delegated OU structure. Cheers,Lain

Quick update: The problem is indeed with the missing AD domain prep permissions in the default naming context. I just re-enabled inheritance in the test domain and the mailbox provisioning process completed just fine. I've found the following reference, so I'll work through this (though I'm dreading it - this list is massive!) to rectify the issue: http://technet.microsoft.com/en-us/library/ee681663.aspx Cheers,Lain

Thank you for sharing the solution with us, Lain. :)