How to delegate read only to exchange objects of Users in ActiveRoles Management Console
ActiveRoles Server contains pre-canned access templates that do not allow delegation of Read Only for Exchange attributes of user objects.
Read All Properties - If modification of user accounts is not required for the person using ActiveRoles Server then perform a simple delegation of 'Users - Read All Properties' that gives read access to all attributes of user objects.
If there are more priveledges for user accounts than read, there must be an explicit delegation of a deny write delegation to the Exchange attributes of user objects. Please see the attached Access Template for direct use, or for reference.