I am in the middle of setting up AD delegation for a group of users who will need to create and modify users, create mailboxes and do other housework within ADUC.
All seems to be working as it should until I add the security group to the Exchange Recipient Administrators group (ERA). Then the users in that group are able to add themselves and other users to the domain admin group, which defeats the object of the delegation I have applied.
I have looked at the rights inherited by the ERA group and they only appear to ‘read access’ on certain items from the domain root downwards.
Should I expect this behaviour or is it abnormal?
We have an Exchange 2007 SP2 server and two Win 2k8 R2 DCs. The domain is running at the Windows 2003 server functional level.