There is an interesting concept related to split permissions that has been introduced in Exchange 2010/2013.
Three Permissions Models are present:
- Shared Permission Model
- Split Permissions (Active Directory)
- Split Permissions (RBAC)
By default Shared Permission Model is applied which means that either Active Directory or Exchange Management tools are used for creation of objects in AD. Role Groups Recipient Management and Organization Management have those rights.
Split Permissions (Active Directory) Model brings the complete segregation between Exchange & Active Directory. Exchange Admins will not be able to create AD Objects , There is no RBAC role for this.
Split Permissions (RBAC) Model modifies the existing Shared model & remove the permissions from exchange administrator role groups. Mail Recipient Creation & Security Group Creation and Membership role is removed from the Recipient Management and Organization Management role groups. AD administrators are provided RBAC for creating security principles, Exchange Administrators are able to modify exchange properties.