In Microsoft Exchange Server 2019 or Exchange Server 2016, you can assign the "Active Directory Permissions" role to a user, a group, or a role group. The assignment can be limited by using a management scope so that the assignee can only use the permissions granted by this role only on the specific objects within the scope. The assignment can be limited to a specific recipient write scope or configuration write scope. However, even if both recipient and configuration scopes are limited to a narrow scope, there is an easy way for users to hold the "Active Directory Permissions" role to elevate their permissions to the whole Exchange organization.
Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.