I built 3 mbx servers in 2010 Exchange SP2 RU3.. one server, I don't want anyone , except for a few select users to have access to.. So, I did the following below. and I am not so sure, that is what I wanted. Wouldn't my "Domain Admins, Enterprise Admins, Exchange Organization Administrators, still have access to MBX-EAST ? New-ManagementScope -Name "Mailbox Server East Office" -ServerList MBX-EAST New-ManagementRoleAssignment -Name "East_Admins" -SecurityGroup "UG_EAST_ADMINS" -Role "Databases" -CustomConfigWriteScope "Mailbox Server East Office" Thank you.

Hello, What is you want that users access to? If you don't want other users access to Exchange server, you can just not give them permission to manage Exchange Server. If you have other requirements, please explain your problem in detail. Thanks, EvanEvan Liu TechNet Community Support

thank you for your reply; I want to manage an AD security group, that allows a few selected Admins in this AD security group to manage our MBX-EAST mailbox server only, restricting Domain Admins, and any other "protected user \ group". However , Domain Admin would stil be able to manage our MBX-West and MBX-Central servers that are in the same Organization.

You can't domain admins have keys tot eh kingdom they can always undo anything. You can do is set up administrator auditing so you can have a record of what changes they are making if you suspect they are making changes they are not supposed to. Need to restrict domain admins to only be able to perform the following http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/55f8f6a1-1785-4c2d-be35-7f9c60500230/James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hmmm, I was under the impression, you could create a RBAC Server Scope, restricting only certain users access to a server.

Unless Domain Admin group isnt in Exchange Organization Administrators, then all -domain admins- dont have access to everything, only members that are in Exchange Organization Administrators , would that be correct ? Am I correct in saying ? So, to secure your IT staff from accessing certain Datastores and\or Servers Remove the users from Exchange Organization Administratorsbuild Custom Roles, for Each Mailbox Server and\or Databases. Apply those users to the appropriate Role If so, Id have to figure out, how to do that. Also, the Organization Management role, is this a higher role, than Exchange Organization Administrators Thanks you

hi Semperfi You can use exclusive scopes to prevent anyone not assigned the roles (either direct, via USGs, or via role groups) from managing the objects - mailboxes, databases, etc. See this topic for more information - http://technet.microsoft.com/en-us/library/dd638110.aspx For example, if you several individuals as members of the "Organization Management" role group, but you only want a small set of people to manage the mailbox for the CEO, you could create a new role group, add the people you want to manage the CEO mailbox to that role group, create an exclusive scope with a recipient filter that includes the CEO mailbox, and then create a role assignment between the "Mail Recipients" role and the new role group with the exclusive scope. Immediately upon creation of the exclusive role assignment, anyone not a member of the new role group will be prevented from managing the CEO mailbox. As others have mentioned, an Active Directory administrator could add themselves to the role group via the Active Directory management tools if they have permissions in AD to manage USGs. If you want to ensure that this doesn't occur, you can create exclusive role assignments directly to individual users. Senior Technical Writer - Exchange. This posting is provided "AS IS" with no warranties, and confers no rights.

hi Semperfi You can use exclusive scopes to prevent anyone not assigned the roles (either direct, via USGs, or via role groups) from managing the objects - mailboxes, databases, etc. See this topic for more information - http://technet.microsoft.com/en-us/library/dd638110.aspx For example, if you several individuals as members of the "Organization Management" role group, but you only want a small set of people to manage the mailbox for the CEO, you could create a new role group, add the people you want to manage the CEO mailbox to that role group, create an exclusive scope with a recipient filter that includes the CEO mailbox, and then create a role assignment between the "Mail Recipients" role and the new role group with the exclusive scope. Immediately upon creation of the exclusive role assignment, anyone not a member of the new role group will be prevented from managing the CEO mailbox. As others have mentioned, an Active Directory administrator could add themselves to the role group via the Active Directory management tools if they have permissions in AD to manage USGs. If you want to ensure that this doesn't occur, you can create exclusive role assignments directly to individual users. Senior Technical Writer - Exchange. This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you David, this lead me in the right direction.