We have a requirement from a customer to install a number of Exchange 2007 servers into an existing Exchange 2003 organisation, thereby creating a coexistence environment. In addition the customer also wants to create two separate support groups, 'support group A' to support the Exchange 2003 servers and 'support group B' to support the Exchange 2007 servers.My initial thoughts are that we could create the following model:1. Create AD groups called SupportA, SupportB, SupportORG2. Delegate Exchange Full Administrator rights to SupportA for all Exchange 2003 Admin Groups3. Add SupportB to the Exchange Servers AD group for all Exchange 2007 servers and the Exchange recipient administrators and Exchange public folder administrators groups4. Delegate Exchange Full Administrator rights to SupportORG for the Exchange 2003 Organization5. Add SupportORG to the Exchange Organization Administrators AD groupThe SupportORG group will be created as an overall administration group;containing a minimal number of users.I would be grateful for feedback on this model and advice on other ways this management model may be deployed. Also during the installation of the Exchange 2007 servers are the Exchange 2007 security groups pre-populated with users or groups currently delegated permissions at the Organization and Administration group levels.Regards,Rob.

Hi Rob, Please understand that the all the Exchange information is saved in AD. When the user attempt to access or modify Exchange configuration, it actually accesses or modifies the related AD objects. Therefore, when you configure delegate on exchange environment, it actually assign different permission on AD objects. The different between Exchange 2003 and 2007: In Exchange 2003, when you delegate control on Org level or Admin Group level, it actually assign the user you added to have related permission to org or admin group In Exchange 2007, several groups have been created already and have related permission to Exchange org. You can add related user to the groups to manage the Exchange servers. Therefore, I think that you only need to assign delegate permission once. For example: 1. Create AD groups called SupportA, SupportB, SupportORG 2. Delegate Exchange Full Administrator rights to SupportA for all Exchange 2003 Admin Groups 3. Delegate Exchange Full Administrator rights to SupportB 4. Delegate Exchange Full Administrator rights to SupportORG for the Exchange Organization In addition, you can use adsiedit.msc tool to check the related AD object permission. Mike