Problems with RBAC scopes
Hi, I have created an custom role and used “Mail Recipients” as the parent role. I have assigned a write scope for this role to "domain.internal/office1/Users", everything works fine, people assigned this role can manage users and set “Manage Full Access Permissions”. The problem is that the same admin group that have been assigned the custom “Mail Recipients” role can also modify “Manage Full Access Permissions” outside the scope for example users under "domain.internal/office2/Users" or "domain.internal/office3/Users". That’s not my intention and that’s why I assigned a specific write scope for the custom “Mail Recipients” role. Anyone who can help why my write scope don’t apply? Does this have something to do with transition from Exchange 2007? We are using one Exchange 2010 SP1 (Transitioned from Exchange 2007) in single domain environment. Regicide
March 2nd, 2011 6:48pm

Hi Regicide, "people assigned this role" ,"the same admin group " Did you assign the custom Role to the user or Role Group? The permission of people is as expected(people can only manage the users in office1)? Please run the following cmdlets and post the results here. Get-ManagementRoleAssignment -RoleAssignee "people" Get-ManagementRoleAssignment -Role "custom role name" | fl Get-ManagementScope "write scope" | flPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2011 12:08pm

Hi Frank, Get-ManagementRoleAssignment -RoleAssignee "people" Get-ManagementRoleAssignment -RoleAssignee "aadam4" | fl RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 User : congrex.internal/Congrex Group/Users/Admins/aadam4 AssignmentMethod : Direct Identity : Public_Folders_MailRecipientsAssigment EffectiveUserName : aadam4 AssignmentChain : RoleAssigneeType : User RoleAssignee : congrex.internal/Congrex Group/Users/Admins/aadam4 Role : Public_Folders_MailRecipients RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : Public_Folders_MailRecipients_Scope CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : CustomRecipientScope ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : aadam4 IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Public_Folders_MailRecipientsAssigment DistinguishedName : CN=Public_Folders_MailRecipientsAssigment,CN=Role Assignments,CN=RBAC,CN=Congrex Group,C N=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=internal Guid : 9b078c20-a35c-4875-b376-ec16b4d87174 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 3/1/2011 3:13:08 PM WhenCreated : 3/1/2011 3:13:08 PM WhenChangedUTC : 3/1/2011 2:13:08 PM WhenCreatedUTC : 3/1/2011 2:13:08 PM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 User : congrex.internal/Congrex Group/Users/Admins/aadam4 AssignmentMethod : RoleGroup Identity : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment EffectiveUserName : All Group Members AssignmentChain : RoleAssigneeType : RoleGroup RoleAssignee : congrex.internal/Microsoft Exchange Security Groups/ITAMs_Public_Folder_Managment Role : Public_Folders_MailRecipients RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : congrex.internal/Congrex Group/Users_Projects CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : OU ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : ITAMs_Public_Folder_Managment IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment DistinguishedName : CN=Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment,CN=Role Assignments,CN=RB AC,CN=Congrex Group,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=int ernal Guid : 37ab6d85-d712-4a78-a06f-e8249b4755d7 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 3/1/2011 12:22:53 PM WhenCreated : 3/1/2011 12:22:38 PM WhenChangedUTC : 3/1/2011 11:22:53 AM WhenCreatedUTC : 3/1/2011 11:22:38 AM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal Get-ManagementRoleAssignment -Role "custom role name" | fl Get-ManagementRoleAssignment -Role "Public_Folders_MailRecipients" | fl RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 User : congrex.internal/Microsoft Exchange Security Groups/ITAMs_Public_Folder_Managment AssignmentMethod : Direct Identity : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment EffectiveUserName : All Group Members AssignmentChain : RoleAssigneeType : RoleGroup RoleAssignee : congrex.internal/Microsoft Exchange Security Groups/ITAMs_Public_Folder_Managment Role : Public_Folders_MailRecipients RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : congrex.internal/Congrex Group/Users_Projects CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : OU ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : ITAMs_Public_Folder_Managment IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment DistinguishedName : CN=Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment,CN=Role Assignments,CN=RB AC,CN=Congrex Group,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=int ernal Guid : 37ab6d85-d712-4a78-a06f-e8249b4755d7 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 3/1/2011 12:22:53 PM WhenCreated : 3/1/2011 12:22:38 PM WhenChangedUTC : 3/1/2011 11:22:53 AM WhenCreatedUTC : 3/1/2011 11:22:38 AM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 User : congrex.internal/Congrex Group/Users/Admins/aadam4 AssignmentMethod : Direct Identity : Public_Folders_MailRecipientsAssigment EffectiveUserName : aadam4 AssignmentChain : RoleAssigneeType : User RoleAssignee : congrex.internal/Congrex Group/Users/Admins/aadam4 Role : Public_Folders_MailRecipients RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : Public_Folders_MailRecipients_Scope CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : CustomRecipientScope ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : aadam4 IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Public_Folders_MailRecipientsAssigment DistinguishedName : CN=Public_Folders_MailRecipientsAssigment,CN=Role Assignments,CN=RBAC,CN=Congrex Group,C N=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=internal Guid : 9b078c20-a35c-4875-b376-ec16b4d87174 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 3/1/2011 3:13:08 PM WhenCreated : 3/1/2011 3:13:08 PM WhenChangedUTC : 3/1/2011 2:13:08 PM WhenCreatedUTC : 3/1/2011 2:13:08 PM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal Get-ManagementScope "write scope" | fl Get-ManagementScope | fl RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 RecipientRoot : congrex.internal/Congrex Group/Users_Projects RecipientFilter : RecipientType -eq 'UserMailbox' ServerFilter : DatabaseFilter : TenantOrganizationFilter : ScopeRestrictionType : RecipientScope Exclusive : False AdminDisplayName : ExchangeVersion : 1.10 (14.1.90.0) Name : Public_Folders_MailRecipients_Scope DistinguishedName : CN=Public_Folders_MailRecipients_Scope,CN=Scopes,CN=RBAC,CN=Congrex Group,CN=Microsoft Excha nge,CN=Services,CN=Configuration,DC=congrex,DC=internal Identity : Public_Folders_MailRecipients_Scope Guid : 7b0e704d-6dc9-4ded-a41c-cf353f405c85 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Scope ObjectClass : {top, msExchScope} WhenChanged : 3/1/2011 3:12:20 PM WhenCreated : 3/1/2011 3:12:20 PM WhenChangedUTC : 3/1/2011 2:12:20 PM WhenCreatedUTC : 3/1/2011 2:12:20 PM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal IsValid : TrueRegicide
March 4th, 2011 1:37pm

Hi Regicide, According to your output, seems like there is no issue. You assigned the Public_Folders_MailRecipients Role to aadam4 with custom scope directly and ITAMs_Public_Folder_Managment Role group with OU scope. From your posted question, I guess the aadam4 can manage users correctly, but not the Role group, right? Since the aadam4 is also a member of Role group, I would suggest you remove it from directly assignment to narrow down the issue. By the way, did you create the Role Group with RecipientOrganizationalUnitScope as following topic listed: Create a Role Group http://technet.microsoft.com/en-us/library/dd638209.aspx (At last, I just wonder why you give the name Public_Folders to the custom Role...)Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2011 11:22am

Hi Frank, thanks for all help so far and sorry for my stuid naming ;) But here let me show you how I created the RBAC assigment, I redid the RBAC with new names. 1. New-ManagementRole -Parent "Mail Recipients" -Name "Project_Mailbox_ManagementRole" 2. New-RoleGroup "Project_Mailbox_Rolegroup" –Roles "Project_Mailbox_ManagementRole" –Members "aadam4" –ManagedBy "aadam" –Description "This group can manage full mailbox permission on all Project Mailboxes" –RecipientOrganizationalUnitScope "congrex.internal/Congrex Group/Users_Projects" 3. New-ManagementScope –Name "Project_Mailbox_ManagementScope" –RecipientRoot "congrex.internal/Congrex Group/Users_Projects" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} 4. New-ManagementRoleAssignment -Name "Project_Mailbox_ManagementRoleAssignment" -Role "Project_Mailbox_ManagementRole" -User aadam4 –CustomRecipientWriteScope “Project_Mailbox_ManagementScope” With "aadam4" account i can now set “Manage Full Access Permissions” in "congrex.internal/Congrex Group/Users_Projects" but also outside this the scope I restricted like "congrex.internal/Congrex Group/Users" I also tried to remove "aadam4" account from "Project_Mailbox_Rolegroup" as your sugestion, but i can still set “Manage Full Access Permissions” in "congrex.internal/Congrex Group/Users_Projects" OU where i should be able to set permissions but i can also set permissions on "congrex.internal/Congrex Group/Users" where I should not be able to set.Regicide
March 7th, 2011 5:57pm

Hi Regicide, If you want to manage uses within an OU scope, the first 2 cmdlets are enough. And assign role directly to user is an advanced task, you rarely need to do that. So could you please add a new test user(e.g. aadam5) to the "Project_Mailbox_Rolegroup" Role group to test?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2011 5:55am

Hi Frank, I created a new user "aadam6" and just added that user to "Project_Mailbox_Rolegroup". But with same results i can still set "Manage Full Access Permissions" outside my write scope "congrex.internal/Congrex Group/Users_Projects". I have created two screenshots where you can review the results: http://www.4shared.com/photo/uiBroR3R/Exchange-1.html http://www.4shared.com/photo/IB7bsZZS/Exchange-2.html Regicide
March 8th, 2011 11:33am

Hi Regicide, Could you please run the Exbpa in the Toolbox to do a "Permission Check"? Please also run the setup /PrepareAD again: Prepare Active Directory and Domains http://technet.microsoft.com/en-us/library/bb125224.aspx The reason is "Congrex\Excchange Trusted Subsystem" security group should be listed in the permission list.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 5:28am

Looks like this was fixed in 2010 SP1 Update Rollup 3, which came out today. See http://support.microsoft.com/kb/2410571 Info about all of UR3: http://support.microsoft.com/kb/2492690
March 9th, 2011 6:15am

Hi cn9, Thanks, I will do the update as soon I get the opportunity and get back if it works. But I wonder how can this error even exist when MS implements a new granularly permission model with RBAC.Regicide
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 11:01am

Hi Frank, I ran a “Permission Check” with Exbpa and found no errors. On all my mailbox user object I have the following permissions set: Congrex\Exchange Servers Congrex\Exchange Trusted Subsystem NT AUTHORITY\SELF NT AUTHORITY\SYSTEM The reason you didn’t see that in my screenshot is because I manually remove all permissions beside “NT AUTHORITY\SELF” just for testing purpose, but that did not make any difference and I changed it back, sorry for confusing you. Here is a screenshot how permission looks on all mailbox objects in our domain http://www.4shared.com/photo/1uzaeSs5/Exchange-3.html But I´m very interested if cn9 tips about rollup 3 will fix my issue, I promise to get back both of you.Regicide
March 9th, 2011 12:20pm

Hi cn9, Thanks, I will do the update as soon I get the opportunity and get back if it works. But I wonder how can this error even exist when MS implements a new granularly permission model with RBAC. Regicide As the kb article states, the action was proceeding without actually checking the scope through RBAC. (Which is kind of unsettling...)
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 6:01pm

Yeah that my point, very unsettling. But I´m happy that MS found the problem!Regicide
March 9th, 2011 6:40pm

Hi Regicide, Any updates?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2011 4:20am

Hi Frank, Sorry after installing the RU3 update and restarting the server I can still manage user outside my scope. I even removed the management Role and Role Group and recreated them from start, but I still have the issue where I can set "Manage Full Access Permissions" outside my write scope. I created the ManagementRole and Rolgroup with the following commands 1. New-ManagementRole -Parent "Mail Recipients" -Name "Project_Mailbox_ManagementRole" 2. New-RoleGroup "Project_Mailbox_Rolegroup" –Roles "Project_Mailbox_ManagementRole" –Members "aadam6" –ManagedBy "aadam" –Description "This group can manage full mailbox permission on all Project Mailboxes" –RecipientOrganizationalUnitScope "congrex.internal/Congrex Group/Users_Projects" Regicide
March 14th, 2011 11:10am

The account you are using to test isn't a member of any other role groups, right? Can they do other things to the objects in other OUs, for example deleting mailboxes, mail-enabling accounts etc? Or is it only the 'full mailbox access' stuff that is leaking through?
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2011 12:41am

Hi cn9, I can´t enable, disable or remove any accounts outside my scope. I can only set "Manage Full Access Permissions". In the end I will also need to manage "Manage Send As Permission" to the same scope, but when I add the "Active Directory Permissions" to the same role group "Project_Mailbox_Rolegroup". I can also then set "Manage Send As Permission" outside my scope.Regicide
March 15th, 2011 11:18am

The accout I´m using to test is only member of one Role Group "Project_Mailbox_Rolegroup"Regicide
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2011 12:11pm

Any new ideas, can't get this working?Regicide
March 22nd, 2011 1:35pm

Hi Frank, Anyone from Microsoft that would be interested to solve this issue? From my perspective permission problems is quite a critical issue?Regicide
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2011 10:48am

Hi guys, just to follow up with release of Update Rollup 3 (V3), after installation and restarting the server I still have problems where I can set permission outside my role assignment scope. Adam Bokiniec
April 7th, 2011 3:48pm

Hey Adam, Are you still experiencing the write scope problem with managing full access? I have the exact same problem and do have rollup 3 for SP1 installed. I can't figure out a solution for it. Mike Hart Mike
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2011 3:33pm

Hi Mike, Sorry for long delay but first day back from vaction, yes we still experiencing this problem and also running rollup 3.Adam Bokiniec
July 28th, 2011 3:02am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics