Good evening,

Let me first say that I have some experience with Exchange 2013, but I am by far no expert. I have setup Exchange 2013 as a multi-tenancy mail server. Currently we are hosting email for 4 separate companies on a single server. Everything is setup and working great, however we recently found an issue that I am trying to resolve.

We would like to setup one or more users from each OU to serve as admins for their particular OU. Their purpose would be to create/modify recipient mailboxes and distributions groups. The purpose for this is so that someone from each company can login to the ECP and manage ONLY the recipients and groups for their particular OU, while the other OU's recipients and groups are not visible to them. We want these admin users to be able to manage recipients within their OU ONLY, without any knowledge of the other OUs.

The problem is when we setup a user as an admin and grand them permissions under the admin role policies, each admin can see ALL of the OUs, ALL of the recipients on the server, and ALL of the distribution groups. Of course, that allows any admin, regardless of which company they are with to view ALL recipient email addresses, etc. and that is what we are trying to change.

At this point, I don't know how to proceed. I read a similar post in these forums where the only response was to use a third party application to accomplish this, but if that is truly the only solution, which third party app COULD accomplish this?

<style type="text/css">.tmid_modified { background: #E4F1FD !important; border: 1px solid #3385D6 !important; } .tmid_modifying { background: #E4F1FD !important; } .tmid_popoutblock { display: table; ; top: 1px; left: 1px; visibility: hidden; width: 120px; height: 40px; background-color: #FFFFFF; z-index: 9999; color: #666666; font-size: 16px; box-shadow: 0px 5px 10px rgba(0, 0, 0, 0.25); text-shadow: 1px 0px 0px rgba(170, 170, 170, 1); }.tmid_formFillHint { display: table-cell; vertical-align: middle; font-size: 16px; }.tmid_icon { width: 24px; height: 24px; }.tmid_popoutblockicon { display: table-cell; vertical-align: middle; width: 24px; height: 24px; padding: 8px 8px 8px 8px; }</style>

Move different company people to different OU

Create RBAC with recipient read /write scope

https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx

• Edited by Vishwanath.S 22 hours 56 minutes ago updated

Move different company people to different OU

Create RBAC with recipient read /write scope

https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx

• Edited by Vishwanath.S Friday, September 11, 2015 8:31 AM updated

Move different company people to different OU

Create RBAC with recipient read /write scope

https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx

• Edited by Vishwanath.S Friday, September 11, 2015 8:31 AM updated

We have 5 different OU's setup, one for each company who's email we host and the fifth for our user. We have separate address book policies, separate global address books, separate, offline address books, etc. If the users login to ECP they can only see their individual user account information.We as the global admins can see all users, all OUs, etc.

When the non-admin users login to their account using ECP they can modify only their individual user settings. When we create a admin role for the individual OU admins however, when those people login to ECP, they can see all of the other users, all OUs, and all groups. They do not have the ability to edit the other OU's users or groups as they are greyed out, but they can still see them.

Using RBAC read/write scope, we can make is so that the admin users cannot edit other OU's recipients and groups, BUT they are still able to view them and see their contact information.

We are SO CLOSE to finding the solution, but we are just missing this one small piece of the puzzle. If you know of some way to create OU admins who CANNOT see other OU recipients and groups, then I would love to know how.  Is there some aspect of RBAC that I'm missing?

All domain users can be seen by any domain user. I think the only way around this is to deny full control on OUs and all objects in the OU for company 2, 3, 4, 5 to admin for company 1.

Give this a go and see if it helps.

Let me know if it answers your question.

Thanks.

I'm not sure if I'm making myself clear or not here. As I mentioned before, we have 5 OU's on our Exchange 2013 server. There are about 82 standard users, 1 global administrator, and one user setup as an OU admin for each OU.

When the standard users login to the ECP they can only see their contact information, such as name, password, phone number, etc. which is normal.

When the global administrator logs in, they can see EVERYTHING, that's normal.

The problem is, when the OU admins login, they can see recipients, groups, and email addresses of users in both their OU as well as in the other OUs. THAT IS THE PROBLEM WE'RE TRYING TO FIX. We want the individual OU admins to ONLY be able to see recipients and groups within their individual OUs. Right now the OU admins can see EVERY user, through they only have view permissions on users outside their particular OU. We're not talking about read/write permissions here, we're looking for a way to prevent OU admins from seeing users in other OUs.

• Edited by DavidOakley951 4 hours 15 minutes ago

Mark,

Thank you for your assistance, however that is not the issue. Each OU user only has access to their information when they login to the ECP. The users cannot see, access, or edit any other user information or groups, all they can change is their personal information.

The global admins can see, access, and edit everything, which is the way it should be.

The problem is when we setup a user and admin role policies that allow them to access groups in their OU, they are then granted read access to ALL USERS in ALL OUs. They cannot edit user information for users in other OUs, but they can still view the other users information. The problem is that they can see user information for users that belong to other companies in separate OUs on the same server.   

We have isolated the OUs and standard users cannot see any other OU users, HOWEVER, once the OU admins are granted access to edit groups, they can then SEE other OU users. We need to isolate the OU admins so that they CANNOT see anything outside of their OU.

We are trying to setup the OU admins so that they can create and edit recipients and distribution groups within their OU so that the global admin does not have to do everything for them.

I'm not sure if I'm making myself clear or not here. As I mentioned before, we have 5 OU's on our Exchange 2013 server. There are about 82 standard users, 1 global administrator, and one user setup as an OU admin for each OU.

When the standard users login to the ECP they can only see their contact information, such as name, password, phone number, etc. which is normal.

When the global administrator logs in, they can see EVERYTHING, that's normal.

The problem is, when the OU admins login, they can see recipients, groups, and email addresses of users in both their OU as well as in the other OUs. THAT IS THE PROBLEM WE'RE TRYING TO FIX. We want the individual OU admins to ONLY be able to see recipients and groups within their individual OUs. Right now the OU admins can see EVERY user, through they only have view permissions on users outside their particular OU. We're not talking about read/write permissions here, we're looking for a way to prevent OU admins from seeing users in other OUs.

• Edited by DavidOakley951 Saturday, September 12, 2015 3:12 AM

I'm not sure if I'm making myself clear or not here. As I mentioned before, we have 5 OU's on our Exchange 2013 server. There are about 82 standard users, 1 global administrator, and one user setup as an OU admin for each OU.

When the standard users login to the ECP they can only see their contact information, such as name, password, phone number, etc. which is normal.

When the global administrator logs in, they can see EVERYTHING, that's normal.

The problem is, when the OU admins login, they can see recipients, groups, and email addresses of users in both their OU as well as in the other OUs. THAT IS THE PROBLEM WE'RE TRYING TO FIX. We want the individual OU admins to ONLY be able to see recipients and groups within their individual OUs. Right now the OU admins can see EVERY user, through they only have view permissions on users outside their particular OU. We're not talking about read/write permissions here, we're looking for a way to prevent OU admins from seeing users in other OUs.

• Edited by DavidOakley951 Saturday, September 12, 2015 3:12 AM

Ok, I understand you're using a custom scope to limit the admins to manage only the users their OU and this works but the problem is that they can read information about users in other OUs. 

The built in management roles have implicit read scopes - there's a table in this article: https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx. It also states "When a predefined relative scope or custom scope is used on a role assignment, the implicit write scope of the role is overridden, and the new scope takes precedence. The implicit read scope of a role can't be overridden and always applies."

Test out recipient filters too:

"If you specify a recipient filter using the RecipientRestrictionFilter parameter, you can use the RecipientRoot parameter to specify an organizational unit (OU) to restrict the filter to. When you specify an OU in the RecipientRoot parameter, the recipient filter attempts to match recipients that reside in that OU only, rather than within the entire implicit read scope." 

Also, if you go through the multi tenant hosting document from MS (page 16 of https://www.microsoft.com/en-us/download/details.aspx?id=36790), it states that you should use a client that limits the OUs that the user can read. The other option it touches on is modifying permissions on the OUs in AD, so if the above ideas don't work then investigate denying your admin full control on the other OUs, i.e. deny full control for admin for company 1 on OUs for companies 2-5. I know that they can't modify the users in these OUs but denying full control will also deny read. 

Let me know if this helps or answers your question.

Thanks.

I appreciate everyone's input on this matter, but I have to admit I don't have as much experience with Exchange as I would like and so I am lost here on what needs to be done. I'm nervous about changing AD permissions for users and groups without a clear understanding of the effects since I cannot afford to make a mistake and cause any email down-time for out clients.

If possible, I would greatly appreciate a little more detailed instruction on what you think I should try to accomplish what needs to be done here.

Right now each OU has one Organization Admin who can only edit their OU's recipients, but they are still able to view recipients in other OUs, through they are unable to edit them. I need to "hide" the other OUs from each OU so that the organization admins have no read/write access to the other OUs.

If someone could point me in the right direction with some instructions, I would greatly appreciate it.