When you use the Exchange Administration Delegation Wizard to delegate an Exchange administrator role to an administrative group, the Exchange Administration Delegation Wizard adds the Exchange View-Only Administrator role for the user or group to the Exchange organization. These permissions are then inherited by any administrative group in the Exchange organization.
NOTE: an Exchange administrator must have Read, Execute, Read Permissions, List Contents, Read Properties, and List Object permissions.
NOTE: To mailbox-enable a user account, the user or group that has the Exchange View-Only Administrator role requires Write access to certain attributes on the target user account in Active Directory.
NOTE: To use the procedure in this tip, you will need to implement tip 9503 » How can I display the Security tab in Microsoft Exchange System Manager?
To workaround this behavior:
1. Open the Microsoft Exchange System Manager from the Start menu.
2. Right-click the administrative group that you want to prevent from creating mailboxes and press Properties.
3. Select the Security tab.
4. Select the group or user that you wish to prevent from the Group or User Names list.
5. Check the boxes in the Deny column for the following permissions:
Read Execute Read Permissions List Contents Read Properties List Object
6. Press OK.
7. Exit the Exchange System Manager.