I've got an Exchange 2007 SP1 environment that was upgraded from an Exchange 2003 environment. I'm having problems giving our junior administrators the permissions they need to create mail contacts. These users have been deligated the Exchange Recipeint Administators role and are a member of the account operators group. They can create Users, mailbox enabled users, mail enabled users, and distribution groups in any of the relivant OUs, but they can't create mail contacts.When attempting do so, they get this error:Summary: 1 item(s). 0 succeeded, 1 failed. Elapsed time: 00:00:00 John DoeFailed Error:Active Directory operation failed on DC04.mydomain.com. This error is not retriable. Additional information: Access is denied.Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 The user has insufficient access rights. Exchange Management Shell command attempted:New-MailContact -ExternalEmailAddress 'SMTP:EMAIL REMOVED' -Name 'John Doe -Alias 'JohnDoe' -OrganizationalUnit 'mydomain.com/People/Permission Tests' -FirstName 'John' -Initials '' -LastName 'Doe' Elapsed Time: 00:00:00 What am I missing? It seems to be an Active Directory permission that I'm missing somewhere? The New-MailContact command creates a new mail contact object in the Microsoft Active Directory and then mail-enables the mail contact. To run New-MailContact cmdlet, the account you use must be delegated the following: Exchange Recipient Administrator role Account Operator role for the applicable Active Directory containers

Account Operators don't have permission to create contacts in AD. Sounds weird eh? You'll have to manually modify permissions for the Account Operators group using the security tab on the Accounts Operators group object in ADUC or use the Delegation Wizard in ADUC.MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net

Agree with Elan. You need below permission to create contact Exchange Recipient Administrator role Account Operator role for the applicable Active Directory containers Reference:- How to Create a New Mail Contact Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|

Vinod, That statement was already in his post and stating that it didn't work for him. Utegrad, Again, follow what I stated in my post. Here's reference if you like: http://support.microsoft.com/kb/555190 MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net

Hey thanks,I missed that part. Fat Finger you know :))Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|

Thank you for the information. Deligating read / write access control of contact objects to the Account Operators group got the job done. It's frustrating that this isn't made clearer in the documentation for creating a contact.