I have researched all kinds of things to determine this but my helpdesk folks can no longer create new mailboxes or make changes inside the EMC. Suggestions on what i can start doing with this? They should be configured properly because THEY HAD been able to do so. Daren Daigle

What groups do they belong to? The most basic is exchange recipient administrators and the AD group account operators.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

I have researched all kinds of things to determine this but my helpdesk folks can no longer create new mailboxes or make changes inside the EMC. Hi Daren, Any updates? Did you also check whether a member of Exchange Organization Administrators can create new mailbox? Can the helpdesk folds do the tasks via EMS? Please check the settings as the following blog said: Access to address list service on all Exchange 2007 servers has been denied http://msmvps.com/blogs/andersonpatricio/archive/2007/08/07/access-to-address-list-service-on-all-exchange-2007-servers-has-been-denied.aspx Please run Exbpa to do Health and Permission Check. Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.Frank Wang TechNet Community Support

Ok, BPA Permission check came back clean and as I write this, the Health Check is running. As an EOA, I can make any change they fail to be capable of executing. They have all the rights they need as they have been able to do this in the past. The group they are members of are listed as Exchange Recipient Admins. The BPA came back with two items referring to the old (2003) Administrative Group as I have never found a definitive way to rid that from my configuration. All of the ideas in that link have been tried to no avail. It should be noted we have a CCR running on 2008 R2. Daren

I wouldn't worry about the admin group thats irrelevant, since you are creating a new mailbox and thus a new user, can you confirm this group is in the account operators group in AD?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

I wouldn't worry about the admin group thats irrelevant, since you are creating a new mailbox and thus a new user, can you confirm this group is in the account operators group in AD? James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com No, they are not a member of the Account operators group as that gives them permissions to change the high security group/members. We have delegated the correct rights to the OUs where they maintain accounts. But this is not a new change, they can create the accounts in AD and when they go to Exchange to Mail Enable them is when they get the message. This configuration HAS worked successfully for a while now and I am trying to determine what has changed to cause this to fail. Daren

Understood, it's likely not an AD issue if they are able to create AD users first. Possibly someone mucked with the rights of the exchange recipient admin group. Go through this article below which shows you what rights is needed for a recipient admin and see if the recipient admin group has these rights. http://exchangepedia.com/blog/2008/02/how-to-delegate-recipient.htmlJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Understood, it's likely not an AD issue if they are able to create AD users first. Possibly someone mucked with the rights of the exchange recipient admin group. Go through this article below which shows you what rights is needed for a recipient admin and see if the recipient admin group has these rights. http://exchangepedia.com/blog/2008/02/how-to-delegate-recipient.html James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com Ok, I have found that this script works but it has had no effect on the problem. I do not need to wait after applying this, do I? If not then it didn't work. Daren