Delegating administrator roles to an administrative group can grant the ability to create mailboxes in other administrative groups in an Exchange organization

When you delegate the Exchange Administrator role or the Exchange Full Administrator role in Microsoft Exchange 2000 Server or in Microsoft Exchange Server 2003, the delegated user or group may be able to create a mailbox for any user in any administrative group in the Exchange organization.

Important To mailbox-enable a user account, the user or group that has the Exchange Administrator role or the Exchange Full Administrator role requires Write access to certain attributes on the target user account in the Active Directory directory service.

This behavior occurs when all the following conditions are true:

• You assign the user or group the Exchange Administrator role or the Exchange Full Administrator role for an administrative group or for the Exchange organization.
• The user or group that has the Exchange Administrator role or the Exchange Full Administrator role also has administrative permissions on user accounts in Active Directory. For more information about setting permissions on Active Directory objects, click the following article number to view the article in the Microsoft Knowledge Base:
  316792 Minimum permissions necessary to perform Exchange-related tasks

The Exchange Administration Delegation Wizard provides View Only access control permissions for all administrative groups in an Exchange organization by setting access control entries (ACEs) at the organization level. This may provide behavior that is not wanted for Exchange organizations that have several administrative groups.

Important We recommend this workaround for Exchange organizations that have a small number of administrative groups. For Exchange organizations with a larger number of administrative groups, this workaround may not be practical because each access control permission must be changed manually. Additionally, if you manually configure the access control permissions for many administrative groups, it may affect the performance of Exchange on the servers. This degradation of performance occurs because of the increase in ACEs that are added to the access control lists (ACLs) of the administrative group Active Directory object. As the number of ACEs increases, the size of an ACL for the object grows. This ACL information is stored in the DSAccess cache. The DSAccess cache has a 32 kilobyte (KB) limit. If the total size of an attribute for an Active Directory object is larger than 32,768 bytes, a reduction in server performance may occur because the Exchange DSAccess cache cannot store the attribute.

Note Exchange Server 2003 Service Pack 1 (SP1) includes an updated DSAccess cache that no longer has a 32-KB limit. This is because in Exchange Server 2003 SP1, the DSAccess component can chain one or more memory segments together.

Warning When you apply an explicit Deny on a permission, the explicit Deny takes precedence over an Allow that is inherited. This may cause access control behavior that is not wanted. Additionally, manual configuration of ACEs may cause the user account not to have access to certain objects in Active Directory. Use caution when you manually configure ACEs to make sure that any changes are fully tested.

To work around this behavior, deny Read, Execute, Read permissions, List contents, Read properties, and List object access control permissions on the administrative groups that you want to hide from the delegated local administrator who has account operator permissions. To do this, follow these steps.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

1. Click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager.
   
   Important To change the security on an administrative group object, you must turn on the display of the Security tab in Exchange System Administrator. To do this, follow these steps:
   1. Click Start, click Run, type regedit , and then click OK.
   2. Locate and then click the following registry subkey:
      HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin
   3. On the Edit menu, point to New, and then click DWORD Value.
   4. Type ShowSecurityPage, and then press ENTER.
   5. In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK.
   6. Quit Registry Editor.
2. In the Exchange organization list in Exchange System Manager, right-click the administrative group that you want, and then click Properties.
3. Click the Security tab.
4. In the Group or user names list, click the group or the user name that you want.
5. In the Deny column of the Permissions list, click to select the following check boxes, and then click OK:
   • Read
   • Execute
   • Read permissions
   • List contents
   • Read properties
   • List object
6. Quit Exchange System Manager.

When you use the Exchange Administration Delegation Wizard to delegate an Exchange administrator role to an administrative group, the Exchange Administration Delegation Wizard adds Exchange View Only Administrator access control permissions for the user or group to the Exchange organization.

The access control permissions that are granted by using the Exchange Administration Delegation Wizard are then inherited by any administrative group in the Exchange organization. An Exchange administrator must have Read, Execute, Read permissions, List contents, Read properties, and List object permissions to provide administrative functionality. For an Exchange administrator to manage an administrative group, the permissions must not be removed.

For more information about delegated administration, see the "Best practices for delegating Active Directory administration" white paper. To obtain this white paper, visit the following Microsoft Web site: For more information about how to grant the Create Mailbox task to a user, click the following article number to view the article in the Microsoft Knowledge Base: For more information about access control permissions and Exchange, click the following article number to view the article in the Microsoft Knowledge Base: For more information that is related to this behavior, click the following article numbers to view the articles in the Microsoft Knowledge Base: