We have a very locked down environment - any permission which is delegated is done using the minimum rights required. For example we never use the delegate control wizard when assigning rights to change passwords / unlock accounts etc in AD. We use individual groups called "change password" and "unlock accounts" and permission these groups with the exact right required. We need to allow an AD security group the ability to change the permissions on all users mailboxes. If we open a users account in AD and open the mailbox, we can add this group here and assign the "change permissions" right. However we need to do this across the organization. So in adsiedit, at this location: configuration->services->company->administrative groups->exchange administrative group -> servers We have permissioned the cluster nodes with a security group assigning the "change permissions" right. lets call this group "Modify exchange 2007 mailbox permissions" We can see this permission propogate to all users mailboxes, so when opening any mailbox we can see "Modify exchange 2007 mailbox permissions" group with the "change permissions" right (inherited). However any member of "Modify exchange 2007 mailbox permissions" cannot change mailbox permissions, we get an access is denied error. If I roll back this change via adsiedit, and then open an individual mailbox (as an exchange admin) and add in the group "Modify exchange 2007 mailbox permissions" with the "change permissions" right, any member of "Modify exchange 2007 mailbox permissions" can now change permissions! so when its permissioned directly it will work, but when its inherited it doesnt. Any ideas?
