Hello,
I believe I may be having an issue with removing the Manage Full-Access permissions for users that manage mailboxes. I created a new role group in Exchange 2010 SP2 and assigned the group the following roles: Distribution Group, Mail Enabled Public
Folders, Mail Recipient Creation and Mail Recipients.
When I add the Mail Recipients role the user is allowed the manage the mailboxes which is fine but the user also get's the Manage Full-Access Permissions to add/remove themselves or other users from mailboxes.
Is there a way or role that can be added to allow the user to manage the mailbox but not the full-access permissions?
Thank you,
Ryan

Need to support users over the internet? click here try our remote control online beta

That is because the mail recipients role has add-mailboxpermission as an allowed cmdlet. If they just need basic recipient managmeent like help desk roles just add them into the default exchange group "recipient management" which doesnt grant mailbox permission
rights.

To view the rights assigned to the mail recipients role:
Get-ManagementRoleEntry `Mail recipients\*'

James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

There is an amazing pack of free network admin tools. click here to download it

Hi James,
I'm afraid members of Recipient Management Role Group can still delegate the full access permission as the "Mail Recipients" Management Role is assigned to the group.
Ryan,
For you scenario, you can create a custom Role as a child of Mail Recipients Role, after that, remove the "Add-Mailboxpermission" role entry(and any other entries which you don't want, e.g. Remove-Mailboxpermission),
then assign the custom Role to the new Role Group.
Create a Role

http://technet.microsoft.com/en-us/library/dd351214.aspx

Remove a Role Entry from a Role

http://technet.microsoft.com/en-us/library/dd297947Frank
Wang
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta

Hi James,
I'm afraid members of Recipient Management Role Group can still delegate the full access permission as the "Mail Recipients" Management Role is assigned to the group.
Ryan,
For you scenario, you can create a custom Role as a child of Mail Recipients Role, after that, remove the "Add-Mailboxpermission" role entry(and any other entries which you don't want, e.g. Remove-Mailboxpermission),
then assign the custom Role to the new Role Group.
Create a Role

http://technet.microsoft.com/en-us/library/dd351214.aspx

Remove a Role Entry from a Role

http://technet.microsoft.com/en-us/library/dd297947Frank
Wang
TechNet Community Support

There is an amazing pack of free network admin tools. click here to download it

You are correct, the recipient managment role does have rights to manage mailbox perms for some reason I thought it didnt.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Need to support users over the internet? click here try our remote control online beta

Hi Frank,
This worked perfectly! Thank you very much it's exactly what I was trying to accomplish.
Thanks for your reply too James...
Ryan

Need to support users over the internet? click here try our remote control online beta