Exchange 2010 Restrict Admins to manage mailboxes of one domain
Hi,
I need help to restrict a Group of Admins to only administer mailboxes of their domain not of the organsiation (default).
I created a new management-scope with:
New-ManagementScope -Name "Subdomain Mailboxes" -RecipientRestrictionFilter { RecipientType -eq 'UserMailbox' } -RecipientRoot "sub.domain.com"
I copied the Role Group "Recipient Administrators" renamed it and set the scope to the new created Managementscope, but the Admins are still able to administer all mailboxes. What am I doing wrong??
Best regards
hkillerm
October 25th, 2010 6:59am
Hi Hkillerm,
Do you run Exchange 2010 RTM or SP1?
The Admins manage mailboxes using EMC or ECP?
Please run the cmdlet Get-ManagementScope "Subdomain Mailboxes" | fl *recipient* and post the results here.
"I copied the Role Group "Recipient Administrators" renamed it and set the scope to the new created Managementscope"
How did you copy the Role Group?
Please create the new Role Group as followed:
New-RoleGroup -Name "Subdomain Recipient Administrators" -Roles "Distribution Groups","Mail Enabled Public Folders","Mail recipient creation","Mail recipients","message tracking","migration","move mailboxes","recipient policies" -CustomRecipientWriteScope
"Subdomain Mailboxes"Frank Wang
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 11:33pm
Hi Frank,
thank you for your post. Here is the result of "Get-ManagementScope":
RecipientRoot : sub.domain.com
RecipientFilter : RecipientType -eq 'UserMailbox'
When I try to create the Role Group I get following error message:
Das übergeordnete Objekt von Subdomain Recipient Administrators wurde nicht gefunden. Stellen Sie sicher, dass rootdomain.com/Microsoft Exchange Security Groups vorhanden ist.
+ CategoryInfo : NotSpecified: (:) [New-RoleGroup], TaskException
+ FullyQualifiedErrorId : 3D3557D9,Microsoft.Exchange.Management.RbacTasks.NewRoleGroup
Translation:
The superior Object of Subdomain Recipient Administrators could not be found. Make sure that "rootdomain/Microsoft Exchange Security Groups" exists.
I hope, that you understand my translation and of course the "Micorsoft Exchange Security Groups"-Container exists in the root domain.
Best regards
hkillerm
October 26th, 2010 4:00am
Hi hkillerm,
Could you please create a simple Role Group to test, e.g.
New-RoleGroup -Name test -Roles "mail recipients"
More information:
Create a Role Group
http://technet.microsoft.com/en-us/library/dd638209(EXCHG.140).aspxFrank Wang
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 4:49am
Hi Frank,
same error:
Das übergeordnete Objekt von test wurde nicht gefunden. Stellen Sie sicher, dass rootdomain.com/Microsoft Exchange Security Groups vorhanden ist.
+ CategoryInfo : NotSpecified: (:) [New-RoleGroup], TaskException
+ FullyQualifiedErrorId : 113BC310,Microsoft.Exchange.Management.RbacTasks.NewRoleGroup
Best regards
hkillerm
October 26th, 2010 4:59am
Hi hkillerm,
Do you open the EMS from the Exchange 2010 of child domain?
If yes, please run the following cmdlet before running the New-RoleGroup:
Set-ADServerSettings -ViewEntireForest $TrueFrank Wang
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 11:13pm
Hi Frank,
yes, the exchange 2010 is in the child domain. Here is the result from Get-RoleGroup. As you can see, there is your Role-Goup "Test" and mine "HFF Recipient Management"
ndows\system32>Get-RoleGroup
Name AssignedRoles
RoleAssignments ManagedBy
---- -------------
--------------- ---------
HFF Recipient Management {Distribution Groups, Mail... {Distribution Groups-HFF R... {domain.com...
test {Mail Recipients} {Mail Recipients-test}
{domain.com...
Best regards
hkillerm
October 27th, 2010 2:06am
Hi hkillerm,
So you can create a new Role Group now?
I guess you created the Role Group "HFF Recipient Management " with
-CustomRecipientWriteScope "Subdomain Mailboxes", can the members of HFF Recipient Management only manage mailboxes of their domain now ?Frank Wang
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2010 2:47am
Hi Frank,
this was never a problem. I could create the Role Group "HFF Recipient Management" from the beginning as I copied the Role-Group "Recipient Administrators" and renaimed it (please look at my first post). I also could create the Scopes:
Name ScopeRestrictionType Exclusive RecipientRoot RecipientFilter
ServerFilter
---- -------------------- --------- ------------- ---------------
------------
HFF Mailboxes RecipientScope False hff.neundoerfer.loc RecipientType -e...
HFF Users RecipientScope False
MemberOfGroup -e...
Now, on the Web-Interfaxe of the Exchange 2010 Sp1 I changed the Scope of the copied Role-Group "HFF Recipient Management" from default to "HFF Mailboxes" or second to "HFF Users" but at both attempts members of this Role Group could administer all mailboxes
even outside of the scopes!!!!
This is the result of Get-Role-Group | fl of "Hff Recipient Management". Where can I see the scope of this Role Group??
RunspaceId : 68454b4e-2c6f-4a1a-af7e-5bea29d95f8d
ManagedBy : {domain.com/Microsoft Exchange Security Groups/Organization Management}
RoleAssignments : {Activ
RunspaceId : 68454b4e-2c6f-4a1a-af7e-5bea29d95f8d
ManagedBy : {domain.com/Microsoft Exchange Security Groups/Organization Management, hff.neundoer
fer.com/HiFi-Forum/Benutzer/Administratoren/Administrator}
RoleAssignments : {Distribution Groups-HFF Recipient Management, Mail Recipient Creation-HFF Recipient Mana
gement, Mail Recipients-HFF Recipient Management, Message Tracking-HFF Recipient Manageme
nt, Migration-HFF Recipient Management, Recipient Policies-HFF Recipient Management}
Roles : {Distribution Groups, Mail Recipient Creation, Mail Recipients, Message Tracking, Migrati
on, Recipient Policies}
DisplayName :
ExternalDirectoryObjectId :
Members : {hff.domain.com/HiFi-Forum/Benutzer/Administratoren/hffadmin}
SamAccountName : HFF Recipient Management
Description : Members of this management role group have rights to create, manage, and remove Exchange
recipient objects of the HFF Users.
RoleGroupType : Standard
LinkedGroup :
Capabilities : {}
LinkedPartnerGroupId :
LinkedPartnerOrganizationId :
IsValid : True
ExchangeVersion : 0.10 (14.0.100.0)
Name : HFF Recipient Management
DistinguishedName : CN=HFF Recipient Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=com
Identity : domain.com/Microsoft Exchange Security Groups/HFF Recipient Management
Guid : 2eff45eb-06be-4331-9329-366a27a6bb70
ObjectCategory : domain.com/Configuration/Schema/Group
ObjectClass : {top, group}
WhenChanged : 25.10.2010 16:06:16
WhenCreated : 25.10.2010 12:01:55
WhenChangedUTC : 25.10.2010 14:06:16
WhenCreatedUTC : 25.10.2010 10:01:55
OrganizationId :
OriginatingServer : DC2.domain.com
Best regards
Hkillerm
October 27th, 2010 3:43am
Hi Hkillerm,
You should run the Get-ManagementRoleAssignment to see the scope. e.g:
Get-managementRoleAssignment "Distribution Groups-HFF Recipient Management" | fl
You can find the Role Assignments from
RoleAssignments : {Distribution Groups-HFF Recipient Management, Mail Recipient Creation-HFF Recipient Mana
gement, Mail Recipients-HFF Recipient Management, Message Tracking-HFF Recipient Manageme
nt, Migration-HFF Recipient Management, Recipient Policies-HFF Recipient Management}
I would suggest you also use EMS to create a new Role Group as I said to test.
Or the cmdlets in following article:
Copy a Role Group
http://technet.microsoft.com/en-us/library/ff769964.aspxFrank Wang
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2010 4:47am
Hi Frank,
this is the result:
RunspaceId : 68454b4e-2c6f-4a1a-af7e-5bea29d95f8d
User : domain.com/Microsoft Exchange Security Groups/HFF Recipient Management
AssignmentMethod : Direct
Identity : Distribution Groups-HFF Recipient Management
EffectiveUserName : Alle Gruppenmitglieder
AssignmentChain :
RoleAssigneeType : RoleGroup
RoleAssignee : domain.com/Microsoft Exchange Security Groups/HFF Recipient Management
Role : Distribution Groups
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope : HFF Users
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope : CustomRecipientScope
ConfigWriteScope : OrganizationConfig
Enabled : True
RoleAssigneeName : HFF Recipient Management
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : Distribution Groups-HFF Recipient Management
DistinguishedName : CN=Distribution Groups-HFF Recipient Management,CN=Role Assignments,CN=RBAC,CN=Name
,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
Guid : 2737c2e7-14f1-4117-8c58-b01a592b6491
ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass : {top, msExchRoleAssignment}
WhenChanged : 25.10.2010 15:34:42
WhenCreated : 25.10.2010 12:01:55
WhenChangedUTC : 25.10.2010 13:34:42
WhenCreatedUTC : 25.10.2010 10:01:55
OrganizationId :
OriginatingServer : DC1.subdomain.domain.com
As you see CustomRecipientWrteScope is "HFF Users"!!!
Result of "HFF Users"
RunspaceId : 2b8ccf92-4144-4402-b2fc-7214d482f2e7
RecipientRoot :
RecipientFilter : MemberOfGroup -eq 'CN=Domänen-Benutzer,CN=Users,DC=subdomain,DC=domain,DC=com'
ServerFilter :
DatabaseFilter :
TenantOrganizationFilter :
ScopeRestrictionType : RecipientScope
Exclusive : False
AdminDisplayName :
ExchangeVersion : 1.10 (14.1.90.0)
Name : HFF Users
DistinguishedName : CN=HFF Users,CN=Scopes,CN=RBAC,CN=Name,CN=Microsoft Exchange,CN=Services,CN
=Configuration,DC=domain,DC=com
Identity : HFF Users
Guid : 8af85bf0-abfc-4ee8-992f-8befedbb13d1
ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Scope
ObjectClass : {top, msExchScope}
WhenChanged : 25.10.2010 15:32:16
WhenCreated : 25.10.2010 15:32:01
WhenChangedUTC : 25.10.2010 13:32:16
WhenCreatedUTC : 25.10.2010 13:32:01
OrganizationId :
OriginatingServer : DC1.subdomain.domain.com
IsValid : True
But Members of "HFF Recipient Management" still are able to administer all mailboxes not only the ones of the subdomain????????????????
What am I doing wrong??
Best regards anf many thanks!!!!
hkillerm
October 27th, 2010 5:35am
Hi hkillerm,
You can find the Result of "HFF Users":
RecipientRoot :
And the RecipientRoot of "Subdomain Mailboxes" should be sub.domain.com
Frank Wang
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2010 6:02am
Hi Frank,
thank you for your reply.
I try to find out, what to do to get the RecipientRoot from blank to sub.subdomain.com
Best regards
hkillerm
October 27th, 2010 8:03am
Hi Frank,
I modified the Management-Scope to:
RunspaceId : 44e1c4a5-bc89-476b-bd89-a9580f542ce6
RecipientRoot : hff.neundoerfer.loc
RecipientFilter : MemberOfGroup -eq 'CN=Domänen-Benutzer,CN=Users,DC=hff,DC=neundoerfer,DC=loc'
ServerFilter :
DatabaseFilter :
TenantOrganizationFilter :
ScopeRestrictionType : RecipientScope
Exclusive : False
AdminDisplayName :
but the members still are able to administer all mailboxes?????????????
Best regards
hkillerm
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2010 8:38am
Hi hkillerm,
I would still suggest you delete the problematical Role Group and Scope, then create them in EMS again:
1, New-ManagementScope -Name "Subdomain Mailboxes" -RecipientRestrictionFilter { RecipientType -eq 'UserMailbox' } -RecipientRoot "sub.domain.com"
2, New-RoleGroup -Name "Subdomain Recipient Administrators" -Roles "Distribution Groups","Mail Enabled Public Folders","Mail recipient creation","Mail recipients","message tracking","migration","move mailboxes","recipient policies" -CustomRecipientWriteScope
"Subdomain Mailboxes"Frank Wang
October 28th, 2010 2:05am
Hi Frank,
thank you for your post.
I did both successfully, deleted all my created Role-Groups and Managemen-Scopes and created new ones with other names along with your CmdLets, but in vain, the members of the new Role-Group are still able to administer all mailboxes and worst grant themselves
"Full Access" to all mailboxes. Can you imagine, what I hear from the Administators of the Root Domain Mailboxes!!!
Thanks very much for your support!!!!
Hkillerm
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 2:48am
Hi Hkillerm,
Those IT guys who can management all mailboxes are Root domain's administrators?
Did you check the permission of child domain's administrator?Frank Wang
October 28th, 2010 3:30am
Hi Frank,
this guys are subdomain administators. I really often checked their rights!
When I remove them from the new created Role-Group they cannot do anything at the mailboxes. When they try to open the properties of a (root or subdomain) mailbox, they only see the locks but no entries. So they have no other permission at the exchange
organisation.
Only when I put them into the new Role-Group they are able to administer mailboxes from sub and root domain. ;-(
By the way, the root domain mailboxes are hosted on an exchange 2007 server in the root domain. May that be a rbac bug in mixed organisations?
Best regards
hkillerm
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2010 4:39am
Hi,
I finally opened a Case at MS Support. Right now they have no solution. I will post the solution as soon there is one.
Is there anyone else out with the same problem?
Best regards
hkillerm
November 17th, 2010 3:06am
Hi hkillerm,
I have a similar problem except that I am trying to apply the restrictions to an OU instead of a domain. would be most curious if MS provides you with a solution.
Best Regards,
Alan
Free Windows Admin Tool Kit Click here and download it now
November 23rd, 2010 10:20am
Hi,
after a lot of investigation with MS Support we have found following problem:
In our organisation (Exchange 2007 in root domain and Exchange 2010 in Subdomain) RBAC is working as expected except for the CmdLet "Add-MailboxPermission"!
No matter witch scope we create the members of the assigned role-group are able to use this CmdLet on mailboxes beyond these scopes!!!
This means that the member of that role-group for example are able to grant other people full access not only to mailboxes within their scope but also to all mailboxes!!!
MS-Support confirmed this behaivour on their test environment and told me to escalate this problem.
I will post the solution as soon as available.
Best regards
hkillerm
November 26th, 2010 4:06am
Thanks for your post.
MS Support told me, that Update Rollup 3 does not contain the regarding fix as it still causes some other problems.
Did you check it out by yourself?
Best regards
hkillerm
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2011 5:40am
Hi,
May I know if this issue has been resolved in Exchange 2010 SP2 RU2?
Also is there a official KB for this issue?
For your advice please.
May 11th, 2012 1:21am
I am also interested in knowing if this is resolved in SP2.
Thanks
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2012 4:26pm