Hi, I need help to restrict a Group of Admins to only administer mailboxes of their domain not of the organsiation (default). I created a new management-scope with: New-ManagementScope -Name "Subdomain Mailboxes" -RecipientRestrictionFilter { RecipientType -eq 'UserMailbox' } -RecipientRoot "sub.domain.com" I copied the Role Group "Recipient Administrators" renamed it and set the scope to the new created Managementscope, but the Admins are still able to administer all mailboxes. What am I doing wrong?? Best regards hkillerm

Hi Hkillerm, Do you run Exchange 2010 RTM or SP1? The Admins manage mailboxes using EMC or ECP? Please run the cmdlet Get-ManagementScope "Subdomain Mailboxes" | fl *recipient* and post the results here. "I copied the Role Group "Recipient Administrators" renamed it and set the scope to the new created Managementscope" How did you copy the Role Group? Please create the new Role Group as followed: New-RoleGroup -Name "Subdomain Recipient Administrators" -Roles "Distribution Groups","Mail Enabled Public Folders","Mail recipient creation","Mail recipients","message tracking","migration","move mailboxes","recipient policies" -CustomRecipientWriteScope "Subdomain Mailboxes"Frank Wang

Hi Frank, thank you for your post. Here is the result of "Get-ManagementScope": RecipientRoot : sub.domain.com RecipientFilter : RecipientType -eq 'UserMailbox' When I try to create the Role Group I get following error message: Das übergeordnete Objekt von Subdomain Recipient Administrators wurde nicht gefunden. Stellen Sie sicher, dass rootdomain.com/Microsoft Exchange Security Groups vorhanden ist. + CategoryInfo : NotSpecified: (:) [New-RoleGroup], TaskException + FullyQualifiedErrorId : 3D3557D9,Microsoft.Exchange.Management.RbacTasks.NewRoleGroup Translation: The superior Object of Subdomain Recipient Administrators could not be found. Make sure that "rootdomain/Microsoft Exchange Security Groups" exists. I hope, that you understand my translation and of course the "Micorsoft Exchange Security Groups"-Container exists in the root domain. Best regards hkillerm

Hi hkillerm, Could you please create a simple Role Group to test, e.g. New-RoleGroup -Name test -Roles "mail recipients" More information: Create a Role Group http://technet.microsoft.com/en-us/library/dd638209(EXCHG.140).aspxFrank Wang

Hi Frank, same error: Das übergeordnete Objekt von test wurde nicht gefunden. Stellen Sie sicher, dass rootdomain.com/Microsoft Exchange Security Groups vorhanden ist. + CategoryInfo : NotSpecified: (:) [New-RoleGroup], TaskException + FullyQualifiedErrorId : 113BC310,Microsoft.Exchange.Management.RbacTasks.NewRoleGroup Best regards hkillerm

Hi hkillerm, Do you open the EMS from the Exchange 2010 of child domain? If yes, please run the following cmdlet before running the New-RoleGroup: Set-ADServerSettings -ViewEntireForest $TrueFrank Wang

Hi Frank, yes, the exchange 2010 is in the child domain. Here is the result from Get-RoleGroup. As you can see, there is your Role-Goup "Test" and mine "HFF Recipient Management" ndows\system32>Get-RoleGroup Name AssignedRoles RoleAssignments ManagedBy ---- ------------- --------------- --------- HFF Recipient Management {Distribution Groups, Mail... {Distribution Groups-HFF R... {domain.com... test {Mail Recipients} {Mail Recipients-test} {domain.com... Best regards hkillerm

Hi hkillerm, So you can create a new Role Group now? I guess you created the Role Group "HFF Recipient Management " with -CustomRecipientWriteScope "Subdomain Mailboxes", can the members of HFF Recipient Management only manage mailboxes of their domain now ?Frank Wang

Hi Frank, this was never a problem. I could create the Role Group "HFF Recipient Management" from the beginning as I copied the Role-Group "Recipient Administrators" and renaimed it (please look at my first post). I also could create the Scopes: Name ScopeRestrictionType Exclusive RecipientRoot RecipientFilter ServerFilter ---- -------------------- --------- ------------- --------------- ------------ HFF Mailboxes RecipientScope False hff.neundoerfer.loc RecipientType -e... HFF Users RecipientScope False MemberOfGroup -e... Now, on the Web-Interfaxe of the Exchange 2010 Sp1 I changed the Scope of the copied Role-Group "HFF Recipient Management" from default to "HFF Mailboxes" or second to "HFF Users" but at both attempts members of this Role Group could administer all mailboxes even outside of the scopes!!!! This is the result of Get-Role-Group | fl of "Hff Recipient Management". Where can I see the scope of this Role Group?? RunspaceId : 68454b4e-2c6f-4a1a-af7e-5bea29d95f8d ManagedBy : {domain.com/Microsoft Exchange Security Groups/Organization Management} RoleAssignments : {Activ RunspaceId : 68454b4e-2c6f-4a1a-af7e-5bea29d95f8d ManagedBy : {domain.com/Microsoft Exchange Security Groups/Organization Management, hff.neundoer fer.com/HiFi-Forum/Benutzer/Administratoren/Administrator} RoleAssignments : {Distribution Groups-HFF Recipient Management, Mail Recipient Creation-HFF Recipient Mana gement, Mail Recipients-HFF Recipient Management, Message Tracking-HFF Recipient Manageme nt, Migration-HFF Recipient Management, Recipient Policies-HFF Recipient Management} Roles : {Distribution Groups, Mail Recipient Creation, Mail Recipients, Message Tracking, Migrati on, Recipient Policies} DisplayName : ExternalDirectoryObjectId : Members : {hff.domain.com/HiFi-Forum/Benutzer/Administratoren/hffadmin} SamAccountName : HFF Recipient Management Description : Members of this management role group have rights to create, manage, and remove Exchange recipient objects of the HFF Users. RoleGroupType : Standard LinkedGroup : Capabilities : {} LinkedPartnerGroupId : LinkedPartnerOrganizationId : IsValid : True ExchangeVersion : 0.10 (14.0.100.0) Name : HFF Recipient Management DistinguishedName : CN=HFF Recipient Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=com Identity : domain.com/Microsoft Exchange Security Groups/HFF Recipient Management Guid : 2eff45eb-06be-4331-9329-366a27a6bb70 ObjectCategory : domain.com/Configuration/Schema/Group ObjectClass : {top, group} WhenChanged : 25.10.2010 16:06:16 WhenCreated : 25.10.2010 12:01:55 WhenChangedUTC : 25.10.2010 14:06:16 WhenCreatedUTC : 25.10.2010 10:01:55 OrganizationId : OriginatingServer : DC2.domain.com Best regards Hkillerm

Hi Hkillerm, You should run the Get-ManagementRoleAssignment to see the scope. e.g: Get-managementRoleAssignment "Distribution Groups-HFF Recipient Management" | fl You can find the Role Assignments from RoleAssignments : {Distribution Groups-HFF Recipient Management, Mail Recipient Creation-HFF Recipient Mana gement, Mail Recipients-HFF Recipient Management, Message Tracking-HFF Recipient Manageme nt, Migration-HFF Recipient Management, Recipient Policies-HFF Recipient Management} I would suggest you also use EMS to create a new Role Group as I said to test. Or the cmdlets in following article: Copy a Role Group http://technet.microsoft.com/en-us/library/ff769964.aspxFrank Wang

Hi Frank, this is the result: RunspaceId : 68454b4e-2c6f-4a1a-af7e-5bea29d95f8d User : domain.com/Microsoft Exchange Security Groups/HFF Recipient Management AssignmentMethod : Direct Identity : Distribution Groups-HFF Recipient Management EffectiveUserName : Alle Gruppenmitglieder AssignmentChain : RoleAssigneeType : RoleGroup RoleAssignee : domain.com/Microsoft Exchange Security Groups/HFF Recipient Management Role : Distribution Groups RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : HFF Users CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : CustomRecipientScope ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : HFF Recipient Management IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Distribution Groups-HFF Recipient Management DistinguishedName : CN=Distribution Groups-HFF Recipient Management,CN=Role Assignments,CN=RBAC,CN=Name ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com Guid : 2737c2e7-14f1-4117-8c58-b01a592b6491 ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 25.10.2010 15:34:42 WhenCreated : 25.10.2010 12:01:55 WhenChangedUTC : 25.10.2010 13:34:42 WhenCreatedUTC : 25.10.2010 10:01:55 OrganizationId : OriginatingServer : DC1.subdomain.domain.com As you see CustomRecipientWrteScope is "HFF Users"!!! Result of "HFF Users" RunspaceId : 2b8ccf92-4144-4402-b2fc-7214d482f2e7 RecipientRoot : RecipientFilter : MemberOfGroup -eq 'CN=Domänen-Benutzer,CN=Users,DC=subdomain,DC=domain,DC=com' ServerFilter : DatabaseFilter : TenantOrganizationFilter : ScopeRestrictionType : RecipientScope Exclusive : False AdminDisplayName : ExchangeVersion : 1.10 (14.1.90.0) Name : HFF Users DistinguishedName : CN=HFF Users,CN=Scopes,CN=RBAC,CN=Name,CN=Microsoft Exchange,CN=Services,CN =Configuration,DC=domain,DC=com Identity : HFF Users Guid : 8af85bf0-abfc-4ee8-992f-8befedbb13d1 ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Scope ObjectClass : {top, msExchScope} WhenChanged : 25.10.2010 15:32:16 WhenCreated : 25.10.2010 15:32:01 WhenChangedUTC : 25.10.2010 13:32:16 WhenCreatedUTC : 25.10.2010 13:32:01 OrganizationId : OriginatingServer : DC1.subdomain.domain.com IsValid : True But Members of "HFF Recipient Management" still are able to administer all mailboxes not only the ones of the subdomain???????????????? What am I doing wrong?? Best regards anf many thanks!!!! hkillerm

Hi hkillerm, You can find the Result of "HFF Users": RecipientRoot : And the RecipientRoot of "Subdomain Mailboxes" should be sub.domain.com Frank Wang

Hi Frank, thank you for your reply. I try to find out, what to do to get the RecipientRoot from blank to sub.subdomain.com Best regards hkillerm

Hi Frank, I modified the Management-Scope to: RunspaceId : 44e1c4a5-bc89-476b-bd89-a9580f542ce6 RecipientRoot : hff.neundoerfer.loc RecipientFilter : MemberOfGroup -eq 'CN=Domänen-Benutzer,CN=Users,DC=hff,DC=neundoerfer,DC=loc' ServerFilter : DatabaseFilter : TenantOrganizationFilter : ScopeRestrictionType : RecipientScope Exclusive : False AdminDisplayName : but the members still are able to administer all mailboxes????????????? Best regards hkillerm

Hi hkillerm, I would still suggest you delete the problematical Role Group and Scope, then create them in EMS again: 1, New-ManagementScope -Name "Subdomain Mailboxes" -RecipientRestrictionFilter { RecipientType -eq 'UserMailbox' } -RecipientRoot "sub.domain.com" 2, New-RoleGroup -Name "Subdomain Recipient Administrators" -Roles "Distribution Groups","Mail Enabled Public Folders","Mail recipient creation","Mail recipients","message tracking","migration","move mailboxes","recipient policies" -CustomRecipientWriteScope "Subdomain Mailboxes"Frank Wang

Hi Frank, thank you for your post. I did both successfully, deleted all my created Role-Groups and Managemen-Scopes and created new ones with other names along with your CmdLets, but in vain, the members of the new Role-Group are still able to administer all mailboxes and worst grant themselves "Full Access" to all mailboxes. Can you imagine, what I hear from the Administators of the Root Domain Mailboxes!!! Thanks very much for your support!!!! Hkillerm

Hi Hkillerm, Those IT guys who can management all mailboxes are Root domain's administrators? Did you check the permission of child domain's administrator?Frank Wang

Hi Frank, this guys are subdomain administators. I really often checked their rights! When I remove them from the new created Role-Group they cannot do anything at the mailboxes. When they try to open the properties of a (root or subdomain) mailbox, they only see the locks but no entries. So they have no other permission at the exchange organisation. Only when I put them into the new Role-Group they are able to administer mailboxes from sub and root domain. ;-( By the way, the root domain mailboxes are hosted on an exchange 2007 server in the root domain. May that be a rbac bug in mixed organisations? Best regards hkillerm

Hi, I finally opened a Case at MS Support. Right now they have no solution. I will post the solution as soon there is one. Is there anyone else out with the same problem? Best regards hkillerm

Hi hkillerm, I have a similar problem except that I am trying to apply the restrictions to an OU instead of a domain. would be most curious if MS provides you with a solution. Best Regards, Alan

Hi, after a lot of investigation with MS Support we have found following problem: In our organisation (Exchange 2007 in root domain and Exchange 2010 in Subdomain) RBAC is working as expected except for the CmdLet "Add-MailboxPermission"! No matter witch scope we create the members of the assigned role-group are able to use this CmdLet on mailboxes beyond these scopes!!! This means that the member of that role-group for example are able to grant other people full access not only to mailboxes within their scope but also to all mailboxes!!! MS-Support confirmed this behaivour on their test environment and told me to escalate this problem. I will post the solution as soon as available. Best regards hkillerm

This is a bug in the Exchange 2010 SP1, please install Update Rollup 3 for Exchange Server 2010 Service Pack 1 to fix this problem. A RBAC role assignee can unexpectedly change permissions of mailboxes that are outside the role assignment scope in an Exchange Server 2010 environment http://support.microsoft.com/kb/2410571 Description of Update Rollup 3 for Exchange Server 2010 Service Pack 1 http://support.microsoft.com/kb/2492690 I hope this solves your Issue Regards,Fazal Muhammad Khan | MCT, MCSE, MCSA, MCTS | Consultant, Technology Services | CTTC Pvt Ltd | https://fazalmkhan.spaces.live.com | OFFICE: +92 21 111 111 500 Ext: 1402 | +5 GMT

Thanks for your post. MS Support told me, that Update Rollup 3 does not contain the regarding fix as it still causes some other problems. Did you check it out by yourself? Best regards hkillerm