This is an issue that I ended up spending 6 hours debugging, only because the answer could not be found in any documentation. I know as soon as I post this someone will go post a comment saying “duh, its documented right here <link>”
The scenario is a customer was attempting to give permissions to modify certain Active Directory attributes of Exchange users (e.g. Hidden from Address Book) to a subset of administrators. The permissions where correctly set on the attributes and they could be modified using other tools, however in Active Directory User and Computers, the check boxes corresponding to those attributes where greyed out.
Now, let me preface this and say that I am not an expert when it comes to migration, a guru of what permissions to use in certain cases, etc. I am just stating the facts…
The extension dll (maildsmx.dll) used to manage Exchange users employes logic to only muck with users that are truely “Exchange” users. This includes users on Exchange 2000/2003 and Exchange 5.5. Exchange 2000/2003 users are easily identified, but Exchange 5.5 require an extra step in validating if they should be administered as an Exchange user. This is where the problem occurs, to determine if they are valid 5.5 recipients, a look up is performed against the Active Directory Connector’s Connection Agreements. The configuration of the connection agreements are stored under CN=Active Directory Connections,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com, which non-administrator accounts do not have access to by default.
In order to make this work, the group in question had to be given Read Only rights to this portion of the AD to determine if the user being administered is being handled by one of the ADC connection agreements.