Limit EAC contacts view with RecipientFilter (Network Steve Forum)

Limit EAC contacts view with RecipientFilter

Hi Thomas,

When you say they can see, what is the console you are refering to. What is the cmd or steps that list all the users.

Please understand Domain Users permission is enough is to list all the users or contacts in AD. You don't need any special permission to view them. If you have something special that you need to hide, you need to remove the read permission on that object(s). Which might give rise to some other issues.

But if the console is EAC or EMS, then RBAC will apply and some restrictions can be made.

To make there list shorter, we need to know, what are you using to list

September 4th, 2015 6:18am

The server is an Exchange 2013 (no DAG or Cluster).

The Users will manage the contacts via EAC. What i remember i set somewhere a -RecipientFilter or -RecipientRestrictionFilter for the DistinguishedName -Like '*,CN=First-Contacts,CN=MyBusiness,DC=xxx,DC=local' but as mentioned, that website where it was detailed describeddoesn't exist anymore :(

What i did so far is:

New-ManagementRole -Name First-Core-AD-Contact-Editors-Recipients -Parent "Mail Recipients"
Get-ManagementRoleEntry -Identity First-Core-AD-Contact-Editors-Recipients\* | Where-Object {$_.Name -ne 'Get-MailContact'} | Remove-ManagementRoleEntry
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Set-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Enable-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Disable-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Set-Contact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Get-Contact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Get-OrganizationalUnit"

New-ManagementRole -Name First-Core-AD-Contact-Editors -Parent "Mail Recipient Creation"
Get-ManagementRoleEntry -Identity First-Core-AD-Contact-Editors\* | Where-Object {$_.Name -ne 'Get-MailContact'} | Remove-ManagementRoleEntry
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\New-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\Remove-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\Get-Recipient"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\Set-Recipient"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\Set-Contact"

New-RoleGroup First-Core-AD-Contact-Editors-Group -Description "First-Core-Contact Creators" -Roles "First-Core-AD-Contact-Editors-Recipients","First-Core-AD-Contact-Editors" -RecipientOrganizationalUnitScope "xxx.local/MyBusiness/First-Contacts"

Edited by Thomas-VIE 20 hours 4 minutes ago

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 6:36am

Hi,

I've delegated the contact management for a specific OU to a dedicated user-group and from permissions it works fine (as per the documentation from http://blogs.technet.com/b/rmilne/archive/2013/11/21/creating-rbac-role-to-delegate-editing-contacts.aspx)

One problem i have is, that the users can see all contacts from the server and not only the contacts from the OU they manage - i did that already some months ago on another server (if i remember correctly with RecipientFilter parameter) but unfortunately the website with that documentation doesn't exist anymore and i forgot to write that command down :(

The "-RecipientOrganizationalUnitScope" just manages the permission where the role is Group is applied so the permission is working only in their OU but i don't want them to see all contacts not to confuse them (and to keep their list shorter).

Thanks,

Thomas

Edited by Thomas-VIE Friday, September 04, 2015 7:02 AM

September 4th, 2015 7:01am

Hi Thomas,

Thanks for the details. Check if you can find what you were saying in the below article.

Understanding management role scopes - Recipient Filter

https://technet.microsoft.com/en-us/library/dd335146(v=exchg.150).aspx

I know that if you add a set of users in Exclusive scope, then those users able accessible only to the role groups having explicit access to them.

Similar threads:

RBAC permission and view recipient based on scope:

https://social.technet.microsoft.com/Forums/exchange/en-US/73624372-8652-4fa4-a036-6559dbbc7d1e/rbac-permission-and-view-recipient-based-on-scope

This one talks about similar thing as well

Create Recipient Filter Scopes:

http://i3.help.outlook.com/en-au/140/Ff852813.aspx

New-ManagementScope -Name "Washington Engineering" -RecipientRestrictionFilter {(RecipientType -eq 'UserMailbox') -and (StateOrProvince -eq 'WA') -and (Department -like 'Engineer*')}

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 8:40am

Hi Satyajit,

The problem with RBAC ManagementScopes is, they only set permission for change / create / delete of e.g. Contacts or Mailboxes, but you cannot hide contacts from other OU's with it.

Tried with "New-ManagementScope -Name "RUAXX Core Contact Scope" -RecipientRestrictionFilter {(RecipientType -eq 'Mailcontact') -AND (DistinguishedName -Like '*,CN=First-Contacts,CN=MyBusiness,DC=xxx,DC=local')}" but this also just limits the Write Scope.

On the server where it's working there is no "Management Scope" in place so it must have worked different - the last link with outlook.com doesn't work, brings an SSL error (bad certificate) - might be a temporary issue on the server.

Regards,

Thomas

September 4th, 2015 9:47am

The server is an Exchange 2013 (no DAG or Cluster).

Edited by Thomas-VIE Friday, September 04, 2015 11:27 AM

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 10:35am

Hi Thomas,

Sorry for the bad link, happens to work only on IE. Anyways don't think the content would work either.

My subsequent testing and findings, results the same. Ultimately pointing that "The implicit read scope of a role can't be overridden and always applies. "

You can't change the read scope on a role group

Default Built-in management role implicit scopes:

Management role - View-Only Recipients

Recipient read scope - Organization

EAC or EMS can't be used to achieve what you are looking for, solution might be using EWS Application with custom rule to block\scope as per OU or Write Scope.

You can hide the recipients by removing the 'View-Only Recipients Role', but you can't modify objects that can't be seen by the scope. Hence defeats the purpose.

Understanding management role scopes-Implicit scopes(last para):

https://technet.microsoft.com/en-us/library/dd335146%28v=exchg.150%29.aspx

exchange-2013-rbac-read-scope:

https://social.technet.microsoft.com/forums/exchange/en-US/a063a190-89a4-4611-aa8d-772ab5a832f7/exchange-2013-rbac-read-scope

September 4th, 2015 10:39am

Hi Satyajit,

It's the same i find anywhere that it's not possible to change the read scope, i just know i was able to filter this view somehow 3 months ago on a Exchange 2013 server - there the User can only see via EAC the Contacts in a specific OU and no other contacts.

I was just too stupid to write the syntax somewhere down and just bookmarked the link which is no longer working :(

I'll continue to search if it's maybe also documented somewhere else and will post here the solution too, i think it's helpful for others too :)

Free Windows Admin Tool Kit Click here and download it now

September 4th, 2015 10:54am

This topic is archived. No further replies will be accepted.