After searching everywhere, I cannot seem to find a document clearly explaining how to setup the permissions to delegate the basic ability for an office administrator to update GAL entries such as recipients and contacts without giving other permissions such as add/remove/delete users. All of the documents that I've read say that it can be done, but none of them clearly explain HOW. Any help or guidance would be much appreciated. I'd prefer to not purchase 3rd party software to do something that supposedly can be done from Exchange 2000/2003 itself.

You are a bit vague with your question, but I will try to explain a few basics. The GAL is nothing more than a view based on a LDAP query of your active directory forest. It shows all mail enabled objects which do not have the 'hide from address list' property set on the ad object. Given this explaination you need to assign appropriate permission within AD to administrators to be able to alter information on the objects or to hide them from the GAL. This can be done by using the Delegate control feature in Windows 2003 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx You can also set custom rights through the permissions tab on container level. This is also explained there. In some organisations management of the mail properties and the other AD account properties needs to be separated for whatever reason. This is called a split-permissioning model. In Exchange 2007 this is done out of the box. In Exchange 2003 this needs to be customly implemented and is rather difficult. I advise to not do this without indepth knowledge of AD and Exchange. http://www.microsoft.com/downloads/details.aspx?FamilyID=0954b157-5add-48b8-9657-b95ac5bfe0a2&displaylang=en If you do want to get more control on permission delegation, and you work for a larger company, ActiveRoles from Quest may be worth looking at. Cheers, Mark

Thanks. Both of those links are very helpful. The clarification regarding the creation of "custom tasks" answers a big portion of my question. I had only seen the default list of tasks and didn't realize that custom tasks could be designed that, for example, only allow modification of the Personal Information and Phone Mail Options fields in AD. But the one question that still remains is this: Is it possible to allow a user to modify those fields via the GAL rather than requiring them to go into the AD Users & Computers administration tool? The GAL entries show all the properties (i.e. address, title, department, phone extension, etc.) but they appear to be read-only when accessed via the GAL. If necessary, we can give the front office admins access to the AD Users & Computers tool, but it would be so much better and easier if they could maintain that data via the GAL from Outlook/Exchange instead.

Nope sorry, the Outlook address book is just a viewer.

What about setting office admins as "managers" of Distribution Groups? In order to allow them the ability to edit members of Distribution Groups in the GAL via Outlook, do they need any privilege beyond just being added the "Manager" of that Distribution Group? I'm not talking about changing user profile fields. Just simply adding/removing members from Distribution Groups in the GAL.

Setting the Manager of a Distribution Group simply sets the value of the managedBy attribute on the Group object in AD. This is informational and does not confer any permissions on the group. If you select the "Manager can update membership list" checkbox in Active Directory Users and Computers this sets an explicit permission on the Group object in AD. It assigns the manager "Write members" permission on the group. If someone (i.e. the manager) has "write members" permission on a Distribution Group that person can modify the membership from Outlook. Tony www.activedir.org

OK. Thanks. What about in Exchange 2007? The distribution groups are in AD any more. What determines if a regular user can edit a distribution list?

I don't believe there is any change to the way in which the group membership management is delegated. The main difference with Exchange 2007 is that certain Distribution Group management tasks can be done using 2007 Recipient Managment (including via Powershell). http://technet.microsoft.com/en-us/library/bb125256.aspx Tony

Tony, I need to spin this into a different direction. I, too, am trying to enable non-IT folks to manage their own distribution groups. I've got the permissions all worked out in my AD/Ex03 environment, now it's a question of installing the right tools for them. I've seen some articles about installing just ADUC on a machine and registering its DLL in Win2K Pro, but that didn't work for some reason in WXP/SP2. It's not a big problem to install the adminpak and hide the extraneous tools (these users are very basic), but doing the same thing for ESM requires IIS and is just more involved. The get to the point: what's the best way to install the ADUC tools with the ESM components to allow a delegated manager to create contacts and manage groups?

Microsoft released a tool about 10 years ago called GALMod. You can find it on the old BackOffice resource kits. It is a client-side tool that will allow a user to update their own information. However, if you are looking for alternatives, there are a number of web-based alternatives, including one that my own company sells called Directory Update (http://www.directory-update.com), Imanami WebDir (http://www.imanami.com), The Dot Net Factory's EmpowerID (http://www.thedotnetfactory.com), and Profiler (http://www.dirwiz.com) As far as I know, it is not possible to allow a user to directly edit anything via the GAL. The only exception to this is that a DL group owner can add/remove group members.)