Hey guys need some help to see if this is possible.. We need to lock down our help desk (sometimes they are not that helpful and hurt more then help) by prevenitng them from making ANY changes to exchange attributes in AD. We have a 2003 native mode AD and 2003 exchange native mode environment. I have created a security group and delegated permissions to a test OU. I have given these permissions using the delegate wizard: Modify membership of a group Read all user info reset user PW adn force PW change at next logon Create, delete, and manage user accounts. With these settings so far so good.However,what alsoneeds to happen is that even if a help desk user has the exchange admin tools installed, they cannot hide a mailbox, force storage/send/recieve limits, set delivery options and so on. Does anyone have insight on how this can be accomplished??? Thanks for any help! Mike

Hi Mike! So you need to provide your helpdesk with WRITE access to some exchange ADattributes. At the moment they don't have such access. You canreview the permissions in the OU properties - security (Check View - Advanced Features in the mmc Console). In the Advanced permissions you can set read/wtrie permissions to exact AD attributes, like "Write msExchHideFromAddressLists". Or use delegation of control wizard - create a custom task to delegate - <select user objects> - check "Propery specific" and choose options you need. Max

Thanks for the response Max! Actually its the other way around. It seems that at first they have no access which is what I want. Then I run the delegation wizard for only the items I listed above. And then they seem to be able to hide users from the GAL, or change mailbox size restrictions. I want to prevent them from doing anything to mailboxes. You might be onto something however I may need to look at the property specific settings to see if I can get it locked down to a more granular affect. Thanks again! Anyone else have any sugestions??