Apologies for the repost but I am really interested if others can duplicate this. It seems like a bug but way to obvious to have been missed surely..... --- I have been trying to determine the absolute minimum rights required to allow specified users to create new accounts and mailboxes but not have the permissions to be able to then grant themselves access to that mailbox. My testing was done using a test account within a single OU. The test account was only given the "right" to create and delete users within that particular OU object (and any child objects) using the Advanced permissions page of that OU. It was also given the following special permissions to "User Objects" (again within that OU's advanced properties): Object Permissions: Reset Password Properties: Write Logon Information Write Account restrictions At the Exchange Organisation level I granted the account "Exchange View Only Administrator" Using the Exchange 2003 admin tools (because that is just what I happened to have installed) I created several new users with mailboxes on both Exchange 2000 and 2003 servers. Once these were created and left for a suitable period of time for AD to become aware of them I emailed each mailbox to cause the mailbox permissions to become populated. Then using the same account that created them I opened up their properties and accessed the mailbox permissions via the "Mailbox Rights" button and attempted to give myself "Full Mailbox Access" ("myself" being the account which created them not my personal account). On the 2000 servers (SP3 + Aug 04 Rollup) I was greeted by a: "Unable to save permission changes on <username> Access is denied" message when I attempted to click the "Apply" button or click "OK". This was what I was expecting to happen. After canceling out of the permissions box and user object box then reopening both I confirmed that none of the changes had been saved to the permissions. However on the 2003 boxes it gave no such error and simply closed the permissions box. When I clicked on the main user object properties OK button after that I got: "Access Denied Facility: LDAP Provider ID no: 80070005 Microsoft Active Directory - Exchange Extension" This looks like it had done the same thing as the first message (with a somewhat less friendly message). However it turns out that the changes to the permissions had already been made and although I had to cancel this second box as ok would continually produce this message. I was able to add the account to Outlook and access any mail within it. One interesting thing is that it only seems to be possible to grant oneself access like this to accounts created by the account your using to grant the access. I have tried this on Exchange 2003 vanilla, SP1 and SP2 with the same results each time. It'd be great if someone else could try this and at the very least confirm my findings and prove it is not exclusive to our AD setup or tell me how to fix it. Please include anything non-standard about your set up. For example any other permissions that my test admin accounts get are inherited (such as read properties permissions so they can see all the user object attributes). All the steps I have done are listed above, however as I have tried to answer any questions I thought might get asked as I went along it may be a bit wordy and hard to follow. So if you want a step-by-step list of what I did I can do that. If these findings are confirmed by others then this situation is a little worrying from a security point of view. All constructive responses appreciated :-) Many thanks
