none
RBAC Problem Exchange 2010

    Question

  • Hi All,

    I have created a Role group and a write scope for a group of admins to create and mange mailbox in 2 mailbox databases but it's not working.

    This is what I did:

    Create write scope

    New-ManagementScope -Name "A1 databases" -DatabaseList "A1DB", "A2DB"

    New-RoleGroup "A1 Administrators" -Roles "mail recipient creation", "mail recipients
    "  -CustomRecipientWriteScope "A1 Databases"

    and I added the admiistrators uning the ECP to the group.

    This is the error I get.

    Error:
    'domain.corp/users/Test009' isn't within your current write scopes. Can't perform save operation.

    Can someone guide on how to configure this correctly ?

    Thanks,

    Simon

     

     

     

     

     


    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA
    Saturday, January 29, 2011 9:48 AM

Answers

  • Hi All,

    Issue was fixed by adding the -RecipientOrganizationalUnitScope to the new-rolegroup cmdlet with the OU the administrators will be able to create and manage mailboxes.

    P.S

    I found the soulotion in the book "Microsoft Exchange Server 2010 Best Practices" page 728 (what a good buy :) )

     

     

     


    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA
    • Marked as answer by Shimon1 Sunday, January 30, 2011 10:47 PM
    Sunday, January 30, 2011 10:29 PM

All replies

  • hi Simon

     

    You want to add the "A1 Databases" scope using the CustomConfigWriteScope parameter on New-RoleGroup to control which databases members of that role group can create mailboxes on. See Understanding Management Role Scopes for more information. See the Custom Scopes\Configuration Scopes section.

     

    David.

     


    Senior Technical Writer - Exchange. This posting is provided "AS IS" with no warranties, and confers no rights.
    Saturday, January 29, 2011 8:24 PM
    Moderator
  • Hi David,

    I have done what you said but I still get the error message regarding the scope.

    Do you have an example for the entire process  ?

     

    Regards,

    Simon


    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA
    Sunday, January 30, 2011 12:27 AM
  • Please provide the output of Get-RoleGroup <role group name> | FL

    Senior Technical Writer - Exchange. This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, January 30, 2011 6:48 AM
    Moderator
  • Hi David,

     

    Here is the output.

    RunspaceId                  : 64df5b14-8371-45ac-9aab-a9838b29839e
    ManagedBy                   : {dc.corp/Microsoft Exchange Security Groups/Organization Management, dc.corp/Ad
                                  ministration/Administrative Accounts/sadmin}
    RoleAssignments             : {Mail Recipient Creation-T3 Administrators, Mail Recipients-T3 Admi
                                  nistrators}
    Roles                       : {Mail Recipient Creation, Mail Recipients}
    DisplayName                 :
    ExternalDirectoryObjectId   :
    Members                     : {dc.corp/External/Admin/t23selfadmin}
    SamAccountName              : T3 administrators
    Description                 :
    RoleGroupType               : Standard
    LinkedGroup                 :
    Capabilities                : {}
    LinkedPartnerGroupId        :
    LinkedPartnerOrganizationId :
    IsValid                     : True
    ExchangeVersion             : 0.10 (14.0.100.0)
    Name                        : T3 administrators
    DistinguishedName           : CN=T3 Administrators,OU=Microsoft Exchange Security Groups,DC=dc,DC=corp
    Identity                    : dc.corp/Microsoft Exchange Security Groups/T3 Administrators
    Guid                        : #####
    ObjectCategory              : dc.corp/Configuration/Schema/Group
    ObjectClass                 : {top, group}
    WhenChanged                 : 30/01/2011 8:54:25 PM
    WhenCreated                 : 30/01/2011 8:53:06 PM
    WhenChangedUTC              : 30/01/2011 9:54:25 AM
    WhenCreatedUTC              : 30/01/2011 9:53:06 AM
    OrganizationId              :
    OriginatingServer           : dc2.dc.corp


    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA
    Sunday, January 30, 2011 10:01 AM
  • Hi All,

    Issue was fixed by adding the -RecipientOrganizationalUnitScope to the new-rolegroup cmdlet with the OU the administrators will be able to create and manage mailboxes.

    P.S

    I found the soulotion in the book "Microsoft Exchange Server 2010 Best Practices" page 728 (what a good buy :) )

     

     

     


    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA
    • Marked as answer by Shimon1 Sunday, January 30, 2011 10:47 PM
    Sunday, January 30, 2011 10:29 PM
  • Hi,

    Thank you for sharing. It would be very helpful for the people who have the same problem.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Monday, January 31, 2011 9:09 AM
    Moderator
  • Hi All,

    Issue was fixed by adding the -RecipientOrganizationalUnitScope to the new-rolegroup cmdlet with the OU the administrators will be able to create and manage mailboxes.

    P.S

    I found the soulotion in the book "Microsoft Exchange Server 2010 Best Practices" page 728 (what a good buy :) )

     

     

     


    MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA

    We are having the same issue, but we are using the -CustomRecipientWriteScope of the management Scope to allow access to the entire Domain "domain.com" since -RecipientOrganizationalUnitScope would only allow you to define specific OU's and those can change over time as AD changes due to organizational changes.

    Any thoughts how to get around this?

    We did the following for our RBAC Permissions:

    First we created the management Scope

    p.p1 {margin: 0.0px 0.0px 6.0px 0.0px; line-height: 19.0px; font: 13.0px Helvetica}

    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Helvetica} New-ManagementScope -Name TestRecipients -RecipientRoot "domain.subroot.root.com" -RecipientRestrictionFilter {(RecipientType -eq "UserMailbox") -or (RecipientType -eq "MailUser") -or (RecipientType -eq "User") -or (RecipientType -eq "MailContact") -or (RecipientType -eq "MailUniversalSecurityGroup") -or (RecipientType -eq "MailNonUniversalGroup") -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "DynamicDistributionGroup") -or (RecipientType -eq "PublicFolder")}

    then we created the Group using this Management Scope

    p.p1 {margin: 0.0px 0.0px 6.0px 0.0px; line-height: 19.0px; font: 13.0px Helvetica}

    New-RoleGroup -Name TestExchangeAdmin-I -roles "SageMessageTracking", "SagePublicFolders","SageDistributionGroups", "SageMailRecipients", "SageMailRecipientCreation", "SageActiveDirectoryPermissions", SageSecurityGroupCreationandMembership -DomainController gaqrootdc01.root.adinternal.com -CustomRecipientWriteScope TestRecipients -Description "Members of this group can Manage Recipients, Distribution Lists, Public Folders, Track Messages, Migrate Mailboxes, Move Mailboxes"

    Any help would be appreciated

    -JM

    Wednesday, June 22, 2011 8:41 PM
  • I got this problem while running ugrade:

    Set-DistributionGroup -Identity "***" -ForceUpgrade
    '***********' isn't within your current write scopes. Can't per
    form save operation.
        + CategoryInfo          : NotSpecified: (0:Int32) [Set-DistributionGroup], ADScopeException
        + FullyQualifiedErrorId : C0409C91,Microsoft.Exchange.Management.RecipientTasks.SetDistributionGroup

    I googling and can't find any  solution for this...;/

    Wednesday, July 25, 2012 8:49 AM