Hello, I believe I may be having an issue with removing the Manage Full-Access permissions for users that manage mailboxes. I created a new role group in Exchange 2010 SP2 and assigned the group the following roles: Distribution Group, Mail Enabled Public Folders, Mail Recipient Creation and Mail Recipients. When I add the Mail Recipients role the user is allowed the manage the mailboxes which is fine but the user also get's the Manage Full-Access Permissions to add/remove themselves or other users from mailboxes. Is there a way or role that can be added to allow the user to manage the mailbox but not the full-access permissions? Thank you, Ryan

That is because the mail recipients role has add-mailboxpermission as an allowed cmdlet. If they just need basic recipient managmeent like help desk roles just add them into the default exchange group "recipient management" which doesnt grant mailbox permission rights. To view the rights assigned to the mail recipients role: Get-ManagementRoleEntry `Mail recipients\*' James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi James, I'm afraid members of Recipient Management Role Group can still delegate the full access permission as the "Mail Recipients" Management Role is assigned to the group. Ryan, For you scenario, you can create a custom Role as a child of Mail Recipients Role, after that, remove the "Add-Mailboxpermission" role entry(and any other entries which you don't want, e.g. Remove-Mailboxpermission), then assign the custom Role to the new Role Group. Create a Role http://technet.microsoft.com/en-us/library/dd351214.aspx Remove a Role Entry from a Role http://technet.microsoft.com/en-us/library/dd297947Frank Wang TechNet Community Support

Hi James, I'm afraid members of Recipient Management Role Group can still delegate the full access permission as the "Mail Recipients" Management Role is assigned to the group. Ryan, For you scenario, you can create a custom Role as a child of Mail Recipients Role, after that, remove the "Add-Mailboxpermission" role entry(and any other entries which you don't want, e.g. Remove-Mailboxpermission), then assign the custom Role to the new Role Group. Create a Role http://technet.microsoft.com/en-us/library/dd351214.aspx Remove a Role Entry from a Role http://technet.microsoft.com/en-us/library/dd297947Frank Wang TechNet Community Support

You are correct, the recipient managment role does have rights to manage mailbox perms for some reason I thought it didnt.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi Frank, This worked perfectly! Thank you very much it's exactly what I was trying to accomplish. Thanks for your reply too James... Ryan