Hi Deepak,
Sorry for delay!
As I know about Journal Rule, it can only be created by global level for all users(database level should be Journal mailbox but not a Journal rule), we cant create
a Journal Rule by site level.
So what do you mean that have one Journal Rule for each site and how did you configure this?
By clarify this, we can check whether it can be done based on the requirement. <o:p></o:p>
Here I suppose yours configuration can be done, then we can configure the scope like this:
- First create a scope for each site:
New-ManagementScope -Name "Redmond Site Scope" -ServerRestrictionFilter {ServerSite -eq "CN=Redmond,CN=Sites,CN=Configuration,DC=contoso,DC=com"}
This example creates the Redmond Site Scope scope and sets a server restriction filter that matches only the servers located in the "CN=Redmond,CN=Sites,CN=Configuration,DC=contoso,DC=com"(its
a sites distinguished name) Active Directory Domain Services (AD DS) site. Since customer have 10 sites, customer will need to create 10 scopes for each site separately.
- By default, only
role Journaling have the ability to modify the Journal Rules, so we can check the Roles associated to which user/group:
Get-ManagementRoleAssignment -Role Journaling
- We will know the current Group which have the permission to modify all the Journal rules, remove all the assignments:
Get-ManagementRoleAssignment -Role Journaling | Remove-ManagementRoleAssignment
- Create new Management Role Assignment to associate the Role with your admin, combine with the new scope we use:
New-ManagementRoleAssignment -Name "assignment1" -Role "Journaling" -User admin_account -CustomConfigWriteScope New_scope in Step1
Thus the admin account can have Journaling related permission to modify the Journal Rules only reside in the scope we specified: the site scope we
created. Please repeat the steps for all you site scope of the 10 admins. So they can only modify the Journal Rule within their own site. Regarding customers second questions, it should be the same method to use the new scope, find the role which can modify
the ActiveSync policy / OAB/ Send Connector, they create the new Management Role Assignment for their admins. Please refer to below article for above commands:
New-ManagementScope
https://technet.microsoft.com/en-us/library/dd335137%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396
New-ManagementRoleAssignment
https://technet.microsoft.com/en-us/library/dd335193(v=exchg.150).aspx
Best regards,