I have been testing some permissions in Exchange 2007 and was surprised to find thatan Exchange Recipient Administrator could elevate their rights to Exchange Organization Administrator. Is this correct? As background the account was added to the domain Account Operators and Exchange Recipient Administrators groups only. This is a bit of a concern, so any advice most welcome. Thanks

Hi, Users who are members of the Exchange Organization Administrators role have the highest level of permissions in the Exchange organization. The Exchange Organization Administrators role gives administrators full access to all Exchange properties and objects in the Exchange organization. 1. Owners of the Exchange organization in the configuration container of ActiveDirectory. As owners, members of the role have full control over the Exchange organization data in the configuration container in ActiveDirectory and the local Exchange server Administrator group 2. Read access to all domain user containers in ActiveDirectory. Exchange grants this permission during setup of the first Exchange2007 server in the domain, for each domain in the organization. These permissions are granted by being a member of the Exchange Recipient Administrator role. 3. Write access to all Exchange-specific attributes in all domain user containers in ActiveDirectory. Exchange2007 grants this permission during setup of the first Exchange2007 server in the domain, for each domain in the organization. These permissions are granted by being a member of the Exchange Recipient Administrator role. 4. Owner of all local server configuration data. As owners, members have full control over the local Exchange server. Exchange2007 grants this permission during setup of each Exchange server. The ExchangeRecipient Administrators role has permissions to modify any Exchange property on an ActiveDirectory user, contact, group, dynamic distribution list, or public folder object. 1. Read access to all the Domain User containers in ActiveDirectory that have had Setup /PrepareDomain run in those domains. 2. Write access to all the Exchange specific attributes on the Domain User containers in ActiveDirectory that have had Setup /PrepareDomain run in those domains. 3. Membership in the Exchange View-Only Administrator role So if you want to grant highest level of permissions to the account,then please let it be the member of Exchange Organization Administrators. If you just want it has the permission to read/write AD, then add the account to ExchangeRecipient Administrators role. More information share with you: Permission Considerations http://technet.microsoft.com/en-us/library/aa996881(EXCHG.80).aspx Hope it helps. Xiu

Hi, Thanks for the feedback, this is useful information. My concern was that when the test user wasgiven just the Exchange Recipient Administrator rolethey were ableto add themselfas anExchange Organisation Administrator, therby giving them more rights than we wanted. I am going to re-check this as it may be a problem isolated to the test lab, but I wonder if anyone else has seen this?

Hi, Please check the member of Exchange Recipient Administrators. We can find that the Exchange Organization Administrators is under Members tab from the properties of Exchange Recipient Administrators. If you double click the Exchange Organization Administrators in that window ,you may find that the test user is there. So it indicated that test user has been the member of Exchange Organization Administrators. It is by design. Besides, you can use NTDSUTIL (group membership evaluation)to check all the groups a user is a member of (even across domains within the forest, even if nested). 1. Logon in normal mode on same DC with an Enteprise Admin account. 2. Execute the following commands from a CMD prompt:NTDSUTILGR ME EVSET AC DC [DCname]SET GL CA [GCname]SET RE DC [ResourceDCname] RUN [domain.com] user 3. After that, you can check tsv file from c:\Documents and Settings\user. Using Ntdsutil http://technet.microsoft.com/en-us/library/cc772919.aspx Note: Please install Windows Support Tools which NTDSUTIL tool will be included. Hope it helps. Xiu

Thanks again for the help Xiu. I think some extra rights are creeping in somewhere and this will certianly help me track down where it is coming from.