JSI Tip 9504. Delegating administrator roles to an administrative group can grant the ability to create mailboxes in other administrative groups in an Exchange organization?

When you use the Exchange Administration Delegation Wizard to delegate an Exchange administrator role to an administrative group, the Exchange Administration Delegation Wizard adds the Exchange View-Only Administrator role for the user or group to the Exchange organization. These permissions are then inherited by any administrative group in the Exchange organization.

NOTE: an Exchange administrator must have Read, Execute, Read Permissions, List Contents, Read Properties, and List Object permissions.

NOTE: See Minimum permissions necessary to perform Exchange-related tasks.

NOTE: To mailbox-enable a user account, the user or group that has the Exchange View-Only Administrator role requires Write access to certain attributes on the target user account in Active Directory.

NOTE: To use the procedure in this tip, you will need to implement tip 9503 » How can I display the Security tab in Microsoft Exchange System Manager?

To workaround this behavior:

1. Open the Microsoft Exchange System Manager from the Start menu.

2. Right-click the administrative group that you want to prevent from creating mailboxes and press Properties.

3. Select the Security tab.

4. Select the group or user that you wish to prevent from the Group or User Names list.

5. Check the boxes in the Deny column for the following permissions:

Read Permissions 
List Contents 
Read Properties 
List Object

6. Press OK.

7. Exit the Exchange System Manager.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.