We need to have an accounts with Exchange Recipient Management rights only on mailboxes from users in a specific OU in Active Directory. For OU "Dept1" the user Dept1Admin would see only mailboxes of accounts in OU Dept1 Should we use adsiedit to set an ACL on OU Dept1 to grant Dept1Admin rights identical to the Recipient Management group? What would be minimum group membership for Dept1Admin providing that we need to grant access only to objects related to users in Dept1 OU? Thanks in advance for any hint /Patrice

What version of Exchange? In general, it's hard if not impossible to use OUs for queries or filters because the OU isn't an attribute of the objects therein. I recommend you use the traditional way of putting everyone in each of the OUs in a mail-enabled security group and using that group for rights. The creation and maintenance of these groups could be scripted if you have anyone who's good with a scripting language and ADSI.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Bharat Suneja (msft) has a blog below on how to setup recipient org admin for a particular OU rather than the default entire org. It's for Exchange 2007, but the guidance should still be the same since it's just based on AD permissions. HOW TO: Delegate recipient administration for an OU http://exchangepedia.com/blog/2008/02/how-to-delegate-recipient.htmlJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi Patric, This one also can help you http://technet.microsoft.com/en-us/library/bb232100%28EXCHG.80%29.aspx Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, You could create a new Exchange Recipient Management role by a parameter RecipientOrganizationalUnitScope . Look at this example. This example assigns the Mail Recipients role to the Contoso Sub - Seattle role group. The administrators in this role group should only be allowed to create and manage mail recipients in specific databases that have been allocated for use by the Contoso subsidiary, A. Datum Corporation (adatum.com). Also, this group of administrators should only be allowed to manage the Contoso employees that are located in the Seattle office. This is done by creating a role assignment with both a database scope, to limit management of mail recipients to only the databases in the database scope, and a recipient OU scope, to limit access to only the recipient objects within the Contoso Seattle OU. New-ManagementRoleAssignment -Name "Mail Recipients_Contoso Seattle" -Role "Mail Recipients" -SecurityGroup "Contoso Sub - Seattle" -CustomConfigWriteScope "Contoso Databases" -RecipientOrganizationalUnitScope adatum.com/Contoso/Seattle/Users More information about New-ManagementRoleAssignment http://technet.microsoft.com/en-us/library/dd335193.aspx Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the t