Hi,

I've delegated the contact management for a specific OU to a dedicated user-group and from permissions it works fine (as per the documentation from http://blogs.technet.com/b/rmilne/archive/2013/11/21/creating-rbac-role-to-delegate-editing-contacts.aspx)

One problem i have is, that the users can see all contacts from the server and not only the contacts from the OU they manage - i did that already some months ago on another server (if i remember correctly with RecipientFilter parameter) but unfortunately the website with that documentation doesn't exist anymore and i forgot to write that command down :(

The "-RecipientOrganizationalUnitScope" just manages the permission where the role is Group is applied so the permission is working only in their OU but i don't want them to see all contacts not to confuse them (and to keep their list shorter).

Thanks,

Thomas

• Edited by Thomas-VIE Friday, September 04, 2015 7:02 AM

The server is an Exchange 2013 (no DAG or Cluster).

The Users will manage the contacts via EAC. What i remember i set somewhere a -RecipientFilter or -RecipientRestrictionFilter for the DistinguishedName -Like '*,CN=First-Contacts,CN=MyBusiness,DC=xxx,DC=local' but as mentioned, that website where it was detailed describeddoesn't exist anymore :(

What i did so far is:

New-ManagementRole -Name First-Core-AD-Contact-Editors-Recipients -Parent "Mail Recipients"
Get-ManagementRoleEntry -Identity First-Core-AD-Contact-Editors-Recipients\* | Where-Object {$_.Name -ne 'Get-MailContact'} | Remove-ManagementRoleEntry
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Set-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Enable-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Disable-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Set-Contact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Get-Contact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors-Recipients\Get-OrganizationalUnit"

New-ManagementRole -Name First-Core-AD-Contact-Editors -Parent "Mail Recipient Creation"
Get-ManagementRoleEntry -Identity First-Core-AD-Contact-Editors\* | Where-Object {$_.Name -ne 'Get-MailContact'} | Remove-ManagementRoleEntry
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\New-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\Remove-MailContact"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\Get-Recipient"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\Set-Recipient"
Add-ManagementRoleEntry -Identity "First-Core-AD-Contact-Editors\Set-Contact"

New-RoleGroup First-Core-AD-Contact-Editors-Group -Description "First-Core-Contact Creators" -Roles "First-Core-AD-Contact-Editors-Recipients","First-Core-AD-Contact-Editors" -RecipientOrganizationalUnitScope "xxx.local/MyBusiness/First-Contacts"

• Edited by Thomas-VIE Friday, September 04, 2015 11:27 AM

Hi Thomas,

I have seen this option in Exchange2010, It could have been there for Ex2013 initial version, may be removed now, to support default multi-forest view.

Steps for EMC in Ex2010:

Please try the following steps to change the EMS Recipient Scope.
 1.In the console tree, click Recipient Configuration.
2.In the action pane, click Modify Recipient Scope.
3.In Recipient Scope dialog box
4.Select "View All Recipient in Forest"
5.Put a check on Global catalog
6.Click on Browse and Select any prferred GC.
7.Click OK Apply Settings.
8.Close and Reopen the EMC.

Some comments on an article:

Spamhater007 Says:
April 16th, 2015 at 9:43 am

The worst part about EAC is the inability to FILTER recipients, frustrating scrolling thru 4,000 mailboxes.  In 2010 EMC, I could set a filter showing only mailboxes in a specific database or specific OU.  Then quickly export that to a text file.

How to delegate Exchange recipient Admin Role on specific OU

As said, please do post if you happen to fi