Hi folks,

I've created a Role Group that will allow me to give a colleague admin access to a specific subset of recipients, defined by OU.  This all worked as expected until I realised that the admin could see ALL recipients in the organisation.

After spending some time looking into the reasons why, it appears that this is defined by the "ImplicitRecipientReadScope" field in the Management Role and as this is set to "Organization", it cannot be changed.

I've tried a few things, like creating a Management Role using "MyDistributionGroups" as the parent role.  The thinking behind this was that it's "ImplicitRecipientReadScope" is set to "MyGAL", which would have worked well for me as all users I need that admin to...administer are part of the same custom GAL.

When trying to create a Role Group based on the above though, I received the following error:

"WARNING: The  database management scope won't be applied to the role assignment for the management role because this role has an implicit scope MyDistributionGroups that's smaller than the specified scope."

Does anyone know if there is a way to do what I require here?  It sounds like it should be possible and a little more straightforward than this.

Thanks in advance for any assistance.

Did you assign the roles to new (original) role group using the OU scope? If so, it should work. From the topic: Understanding Management Role Scopes - Custom Scopes

OU scope   An OU scope, which is the simplest custom scope, is created using the RecipientOrganizationalUnitScope parameter on the New-ManagementRoleAssignment cmdlet. By specifying an OU scope when a role is assigned, the role assignee assigned the role can modify only recipient objects within that OU. For more information about how to add a management role assignment with an OU scope, see Add a Role to a User or USG.

• Proposed as answer by wendy_liuMicrosoft contingent staff, Moderator Monday, June 03, 2013 1:58 PM
• Marked as answer by wendy_liuMicrosoft contingent staff, Moderator Wednesday, June 05, 2013 9:33 AM

Did you assign the roles to new (original) role group using the OU scope? If so, it should work. From the topic: Understanding Management Role Scopes - Custom Scopes

OU scope   An OU scope, which is the simplest custom scope, is created using the RecipientOrganizationalUnitScope parameter on the New-ManagementRoleAssignment cmdlet. By specifying an OU scope when a role is assigned, the role assignee assigned the role can modify only recipient objects within that OU. For more information about how to add a management role assignment with an OU scope, see Add a Role to a User or USG.

• Proposed as answer by wendy_liuMicrosoft contingent staff, Moderator Monday, June 03, 2013 1:58 PM
• Marked as answer by wendy_liuMicrosoft contingent staff, Moderator Wednesday, June 05, 2013 9:33 AM

Hi Chris,

Yes, everything was created from scratch and works perfectly as far as Write Scopeis concerned, the issue is around the Read Scope as it's implict from the Management Role.  Not sure there is much I can do about it, hoping someone pulls a rabbit out of a hat though :)

Thanks for advice

Hi

If a role is assigned to a role assignee and no predefined or custom scopes are specified, the implicit scopes defined on the role are used to control the recipient or organization objects the user can view or modify.

The implicit write scope of a role is always equal to, or less than, the implicit read scope. This means that a role can never modify objects that can't be seen by the scope.

You can't change the implicit scopes defined on management roles. You can, however, override the implicit write scope and configuration scope on a management role. When a predefined relative scope or custom scope is used on a role assignment, the implicit write scope of the role is overridden, and the new scope takes precedence. The implicit read scope of a role can't be overridden and always applies.

How have you reached your goal?

I'm trying to do the same ...

Hi Rootiks,

Not long after posting my last update, the requirement changed so we no longer needed a solution to this.

I came to the conclusion that what I was trying to do wouldn't have been possible anyway, I would love to be corrected here though :)

Apologies I can't be more help.

Best regards and good luck,

Fixx

But I still have the requirement and need an answer :(

I try to setup a multitenant exchange installation and want to allow an Tenant_admin to only READ and WRITE in his Scope (which is an OU in AD).

At the moment it is no problem to set the write permissions. But the Tenant_admin sees all other mailboxes hosted on the server.

What's the solution for this?

Hello,

I have exactly the same requirement. I just want the distribution group admins to see only the distribution groups on a specific OU. Unfortunaty they can see all groups (and memberships..) in read-only mode.