Microsoft has introduced a new option as part of the Exchange 2010 SP1 Beta setup, configuring strict split permission security model. Applying this feature is optional though.
The strict split permission security model is aimed at large organizations, where there are different teams for Active Directory and Exchange. Applying this security model removes the ability for Exchange administrators to create AD objects such as users, groups and contacts. The ability to manage non-Exchange attributes on those objects will also be removed.
You shouldn’t apply this security policy model if you don’t have separate teams or specific requirement to have a split permission model. Large organizations will welcome this option as the AD team will be able to create the AD objects following their naming standards and the Exchange team can configure the mail attributes.
This option is only available for a vanilla installation of Exchange 2010 SP1 Beta (not in 2010 RTM upgrade to SP1 Beta).