Sign in
 
HomeOnline20132010Other VersionsLibraryForumsGalleryEHLO Blog
TechCenter >
RBAC Problem Exchange 2010

Answered RBAC Problem Exchange 2010

  • Saturday, January 29, 2011 9:48 AM
     
     
    Sign In to Vote
    0

    Hi All,

    I have created a Role group and a write scope for a group of admins to create and mange mailbox in 2 mailbox databases but it's not working.

    This is what I did:

    Create write scope

    New-ManagementScope -Name "A1 databases" -DatabaseList "A1DB", "A2DB"

    New-RoleGroup "A1 Administrators" -Roles "mail recipient creation", "mail recipients
    "  -CustomRecipientWriteScope "A1 Databases"

    and I added the admiistrators uning the ECP to the group.

    This is the error I get.

    Error:
    'domain.corp/users/Test009' isn't within your current write scopes. Can't perform save operation.

    Can someone guide on how to configure this correctly ?

    Thanks,

    Simon

     

     

     

     

     

    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA
     

All Replies

  • Saturday, January 29, 2011 8:24 PM
    Moderator
     
     
    Sign In to Vote
    0

    hi Simon

     

    You want to add the "A1 Databases" scope using the CustomConfigWriteScope parameter on New-RoleGroup to control which databases members of that role group can create mailboxes on. See Understanding Management Role Scopes for more information. See the Custom Scopes\Configuration Scopes section.

     

    David.

     

    Senior Technical Writer - Exchange. This posting is provided "AS IS" with no warranties, and confers no rights.
     
  • Sunday, January 30, 2011 12:27 AM
     
     
    Sign In to Vote
    0

    Hi David,

    I have done what you said but I still get the error message regarding the scope.

    Do you have an example for the entire process  ?

     

    Regards,

    Simon

    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA
     
  • Sunday, January 30, 2011 6:48 AM
    Moderator
     
     
    Sign In to Vote
    0
    Please provide the output of Get-RoleGroup <role group name> | FL
    Senior Technical Writer - Exchange. This posting is provided "AS IS" with no warranties, and confers no rights.
     
  • Sunday, January 30, 2011 10:01 AM
     
     
    Sign In to Vote
    0

    Hi David,

     

    Here is the output.

    RunspaceId                  : 64df5b14-8371-45ac-9aab-a9838b29839e
    ManagedBy                   : {dc.corp/Microsoft Exchange Security Groups/Organization Management, dc.corp/Ad
                                  ministration/Administrative Accounts/sadmin}
    RoleAssignments             : {Mail Recipient Creation-T3 Administrators, Mail Recipients-T3 Admi
                                  nistrators}
    Roles                       : {Mail Recipient Creation, Mail Recipients}
    DisplayName                 :
    ExternalDirectoryObjectId   :
    Members                     : {dc.corp/External/Admin/t23selfadmin}
    SamAccountName              : T3 administrators
    Description                 :
    RoleGroupType               : Standard
    LinkedGroup                 :
    Capabilities                : {}
    LinkedPartnerGroupId        :
    LinkedPartnerOrganizationId :
    IsValid                     : True
    ExchangeVersion             : 0.10 (14.0.100.0)
    Name                        : T3 administrators
    DistinguishedName           : CN=T3 Administrators,OU=Microsoft Exchange Security Groups,DC=dc,DC=corp
    Identity                    : dc.corp/Microsoft Exchange Security Groups/T3 Administrators
    Guid                        : #####
    ObjectCategory              : dc.corp/Configuration/Schema/Group
    ObjectClass                 : {top, group}
    WhenChanged                 : 30/01/2011 8:54:25 PM
    WhenCreated                 : 30/01/2011 8:53:06 PM
    WhenChangedUTC              : 30/01/2011 9:54:25 AM
    WhenCreatedUTC              : 30/01/2011 9:53:06 AM
    OrganizationId              :
    OriginatingServer           : dc2.dc.corp

    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA
     
  • Sunday, January 30, 2011 10:29 PM
     
     Answered
    Sign In to Vote
    0

    Hi All,

    Issue was fixed by adding the -RecipientOrganizationalUnitScope to the new-rolegroup cmdlet with the OU the administrators will be able to create and manage mailboxes.

    P.S

    I found the soulotion in the book "Microsoft Exchange Server 2010 Best Practices" page 728 (what a good buy :) )

     

     

     

    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA
    • Marked As Answer by Shimon1 Sunday, January 30, 2011 10:47 PM
    •  
     
  • Monday, January 31, 2011 9:09 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Thank you for sharing. It would be very helpful for the people who have the same problem.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
     
  • Wednesday, June 22, 2011 8:41 PM
     
     
    Sign In to Vote
    0

    Hi All,

    Issue was fixed by adding the -RecipientOrganizationalUnitScope to the new-rolegroup cmdlet with the OU the administrators will be able to create and manage mailboxes.

    P.S

    I found the soulotion in the book "Microsoft Exchange Server 2010 Best Practices" page 728 (what a good buy :) )

     

     

     

    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA

    We are having the same issue, but we are using the -CustomRecipientWriteScope of the management Scope to allow access to the entire Domain "domain.com" since -RecipientOrganizationalUnitScope would only allow you to define specific OU's and those can change over time as AD changes due to organizational changes.

    Any thoughts how to get around this?

    We did the following for our RBAC Permissions:

    First we created the management Scope

    p.p1 {margin: 0.0px 0.0px 6.0px 0.0px; line-height: 19.0px; font: 13.0px Helvetica}

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Helvetica} New-ManagementScope -Name TestRecipients -RecipientRoot "domain.subroot.root.com" -RecipientRestrictionFilter {(RecipientType -eq "UserMailbox") -or (RecipientType -eq "MailUser") -or (RecipientType -eq "User") -or (RecipientType -eq "MailContact") -or (RecipientType -eq "MailUniversalSecurityGroup") -or (RecipientType -eq "MailNonUniversalGroup") -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup") -or (RecipientType -eq "PublicFolder")}

    then we created the Group using this Management Scope

    p.p1 {margin: 0.0px 0.0px 6.0px 0.0px; line-height: 19.0px; font: 13.0px Helvetica}

    New-RoleGroup -Name TestExchangeAdmin-I -roles "SageMessageTracking", "SagePublicFolders","SageDistributionGroups", "SageMailRecipients", "SageMailRecipientCreation", "SageActiveDirectoryPermissions", SageSecurityGroupCreationandMembership -DomainController gaqrootdc01.root.adinternal.com -CustomRecipientWriteScope TestRecipients -Description "Members of this group can Manage Recipients, Distribution Lists, Public Folders, Track Messages, Migrate Mailboxes, Move Mailboxes"

    Any help would be appreciated

    -JM

     
  • Wednesday, July 25, 2012 8:49 AM
     
     
    Sign In to Vote
    0

    I got this problem while running ugrade:

    Set-DistributionGroup -Identity "***" -ForceUpgrade
    '***********' isn't within your current write scopes. Can't per
    form save operation.
        + CategoryInfo          : NotSpecified: (0:Int32) [Set-DistributionGroup], ADScopeException
        + FullyQualifiedErrorId : C0409C91,Microsoft.Exchange.Management.RecipientTasks.SetDistributionGroup

    I googling and can't find any  solution for this...;/