My objective: create and distribute a custom MMC to users that will manage Mail Contacts only. What I have done: 1) Create custom MMC on Mail Server. 2) Move the custom MMC to a Vista client. I attempt to open it. Error message: "MMC could not create the snap-in" I conclude this is because I did not install Management Tools on the Vista client (how candid of me). 3) I install Managment Tools (after installing PS, various IIS 6 and 7 prerequisites). Now, if I click on the EMC (like the user could, if they knew where to go) I have the entire EMC. More surprisingly, if I click on the custom EMC that should only contain the "Mail Contacts" component, I see, in reality, the entire EMC. Could I use the custom MMC w/o Management Tools? Apparently not. Even if I leave all the prequisites (and uninstall the Management Tools), the only thing I get is this: "MMC could not create the snap-in" There's no point in limiting access (what the delegate can see) with a custom MMC if you have to install Management Tools and they can open it and see everything anyway, and if the complete EMC opens even when opening the custom MMC. I suppose I am doing something wrong - can anyone see what? - So do the MT need to be installed for the MMC to work? - How, then, would you limit access to only the sections that the delegate should see? Or do we have to accept that, ultimately, the delegate could open the whole EMC and if that is an issue, perhaps I should not delegate to that person.

What you're trying to do is hide everything from these contact administrators rather than prevent them from modifying them. Put the contacts in a separate OU, grant these contact administrators rights on that OU, and take away rights on all other OUs if they have any rights. Then it doesn't matter what the contact administrators can see with the MMC, they'll still only be able to manage the contacts. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "Le Pivert" wrote in message news:63b33fd7-ceca-4cc3-9f40-f86c33faa339... My objective: create and distribute a custom MMC to users that will manage Mail Contacts only. What I have done: 1) Create custom MMC on Mail Server. 2) Move the custom MMC to a Vista client. I attempt to open it. Error message: "MMC could not create the snap-in" I conclude this is because I did not install Management Tools on the Vista client (how candid of me). 3) I install Managment Tools (after installing PS, various IIS 6 and 7 prerequisites). Now, if I click on the EMC (like the user could, if they knew where to go) I have the entire EMC. More surprisingly, if I click on the custom EMC that should only contain the "Mail Contacts" component, I see, in reality, the entire EMC. Could I use the custom MMC w/o Management Tools? Apparently not. Even if I leave all the prequisites (and uninstall the Management Tools), the only thing I get is this: "MMC could not create the snap-in" There's no point in limiting access (what the delegate can see) with a custom MMC if you have to install Management Tools and they can open it and see everything anyway, and if the complete EMC opens even when opening the custom MMC. I suppose I am doing something wrong - can anyone see what? - So do the MT need to be installed for the MMC to work? - How, then, would you limit access to only the sections that the delegate should see? Or do we have to accept that, ultimately, the delegate could open the whole EMC and if that is an issue, perhaps I should not delegate to that person. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Even so, I want to "isolate visibility of additional management capabilities of the Exchange 2007 management console" as presented here: http://msexchangeteam.com/archive/2006/10/20/429233.aspx That's Tip #8. It simply does not work as advertised. You cannot move the file to another computer (your laptop for example) and see it work as stated. Of course, if I am missing something, I would glady correct that if someone would point out what I am missing. And yes, I would post in the Exchange User forum in the link above but new comments are disabled. Lastly, yes, I already have limited the ability to modify the contacts as you suggest. I still want to limit visibility. If, despite the link above, it cannot be done, then it cannot be done. But I want to determine if that is indeed the case before throwing in the towel.