Can users in the Exchange Recipient Administrators group CREATE users or just modify properties of existing users? I would like them to have the ability to create users too, but not be able to give themselves full or send as thanks

Recipient Administrators are able to generate new Accounts if the addition right is delegated on an Active Directory organizational Unit. The Recipient Administrators are not able to set the Full Access priviledge in the Exchange Management Console. So i think that is what you want. regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

thanks...what is the additional delegated right in AD? uner delegation control...user objects...create thanks

Hi, What is Exchange version you are talking about here, if you have exchaneg 2010 then you can easily manage it thru RBAC feature. In Exchange 2007, You have to delegate permission on OU where admin want to create new mailbox. Please have a look of below FAQ and see section "What permissions do I need to create and delete Exchange 2007 users? " http://technet.microsoft.com/en-us/library/bb310792(EXCHG.80).aspx Some more info: http://technet.microsoft.com/en-us/library/bb232100(EXCHG.80).aspx Anil

Exchange 2007 I currently have them in exchange recipient administrator and the exchange administrator view-only groups. then in AD using the delegation control - custom - only the following objects in the folder - account objects, user objects with the delete and create options selected. the can modify user properties but not create.

OK, that what I mean when I told you to delegate rights in Active Directory so the reciient Administration group. The Installation of the remote Active Directory Tools isn´t the solution. And the Exchange system doesn´t hold any userinformation of your recipients its the Active Directory doing this. So there you have to set the right that somebody is able to create new user accounts. Members of the recipent Administrator group are now able to generate a mailbox for such accounts. If you need the recipient Administrators to create their own user objects in Active Directory then you have to delegate the create userr objects right on a specified organisational unit. Pleasse turn on the advanced mode in Active Directory users and Computers. then rigth click the organisational unit und choose delegate control. Navigate through the following questions ans answer them. After you click finsich the right will be generated. now navigate to theproperrties of the organisational unit you have delegated the new right. There will be an additional registercard security whre the new object with its rights are shown up. regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

Can you add them to the AD account operators group? Typically the desktop support would have both AD account operator group and Exchange recipient admin which will suffice for what you're trying to do.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

i thought account operators group was overkill

Hey you are discussing user right delegation!!! If you make this userr member of the Account operators goup this account will be able to administer all Accounts not only these one stored in a specified organisational unit. Perhaps you will get some detail information on: http://www.tech-faq.com/how-to-delegate-administrator-privileges-in-active-directory.html regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com