Cannot delegate permissions to delete mailboxes or e-mail addresses (815439)

SYMPTOMS

When you delegate control of Microsoft Exchange Server configuration objects in Active Directory so another user can delete a mailbox or e-mail address and you assign that user Write permissions to the attributes that are associated with mailboxes, that user may receive an "Access denied" error message as a result when they try to delete a mailbox or e-mail address.

When you follow the instructions from the following Microsoft Knowledge Base (KB) article to manually grant permissions to that delegate user, they can successfully delete the object:

316792 Minimum permissions necessary to perform Exchange-related tasks

CAUSE

This problem may occur if both the following conditions are true:

You delegate the Exchange View Only Administrator role to a user or group.
You assign Write permissions to the attributes associated with mailboxes by using the Active Directory Users and Computers utility or by using a third-party utility for account delegation management.

This problem also occurs because some of the attributes to which the delegate user needs permission are not visible in the Active Directory Users and Computers user interface (UI). Additionally, when you delete the mailbox or e-mail address, a number of attributes that are not part of the schema of the object being deleted, are also removed. Because of this, Active Directory must enforce the delegate users permissions against these attributes, although the attributes are not being used.

RESOLUTION

Cumulative Rollup Information

To resolve this problem, obtain the September 2003 Exchange 2000 Server Post-Service Pack 3 (SP3) Rollup. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824282 September 2003 Exchange 2000 Server post-Service Pack 3 Rollup

Hotfix Information

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Microsoft Exchange 2000 Server service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The global version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
   26-Feb-2003  18:18  6.0.6427.0         69,632  Ccmproxy.dll     
   26-Feb-2003  18:18  6.0.6427.0      2,109,440  Cdoexm.dll       
   26-Feb-2003  18:17  6.0.6427.0      8,466,432  Exadmin.dll      
   26-Feb-2003  18:18  6.0.6427.0      1,867,776  Exmgmt.exe             
   26-Feb-2003  18:18  6.0.6427.0         73,728  Inproxy.dll      
   26-Feb-2003  18:18  6.0.6427.0      2,969,600  Mad.exe          
   26-Feb-2003  18:17  6.0.6427.0      4,648,960  Maildsmx.dll     
   26-Feb-2003  18:18  6.0.6427.0         77,824  Pcproxy.dll      
   26-Feb-2003  18:18  6.0.6427.0         94,208  X400prox.dll

MORE INFORMATION

This update resolves this issue by implementing the following changes:

The Dssec.dat file is removed from the %Systemroot%\System32 folder. This exposes all attributes in the access control list (ACL) editor.
Only the attributes that are part of the objects schema are edited when you modify the object.
The list of attributes to which you require Write access now appears when you receive an "Access denied" error message as a result after you try to modify an object. This helps to diagnose permission issues that you may experience with a Delete Mailbox or Disable Mail operation.

After you install this update, the Delete Mailbox operation affects the following attributes:

adminDisplayName
Alias - mailNickname
altRecipient
authOrig
extensionAttribute1
extensionAttribute10
extensionAttribute11
extensionAttribute12
extensionAttribute13
extensionAttribute14
extensionAttribute15
extensionAttribute2
extensionAttribute3
extensionAttribute4
extensionAttribute5
extensionAttribute6
extensionAttribute7
extensionAttribute8
extensionAttribute9
deletedItemFlags
delivContLength
deliverAndRedirect
dLMemDefault
dLMemRejectPerms
dLMemSubmitPerms
E-Mail Address - mail
Exchange Home Server - msExchHomeServerName
Exchange Mailbox Store - homeMDB
garbageCollPeriod
homeMTA
ILS Settings - autoReplyMessage
internetEncoding
legacyExchangeDN
mAPIRecipient
mDBOverHardQuotaLimit
mDBOverQuotaLimit
mDBStorageQuota
mDBUseDefaults
msExchADCGlobalNames
msExchControllingZone
msExchExpansionServerName
msExchFBURL
msExchHideFromAddressLists
msExchMailboxGuid
msExchMailboxSecurityDescriptor
msExchPoliciesExcluded
msExchPoliciesIncluded
msExchRecipLimit
msExchResourceGUID
Outlook Web Access Server - folderPathname
protocolSettings
Proxy Addresses - proxyAddresses
publicDelegates
securityProtocol
showInAddressBook
Simple Display Name - displayNamePrintable
submissionContLength
targetAddress
textEncodedORAddress
unauthOrig