locked
Restrict mailbox view for ECP/EMC RRS feed

  • Question

  • Hi,

    I'm trying to restrict my help desk user to only be able to view/edit mailboxes in a certain OU, when accessing the EMC or ECP.

    I have created a new role group, scope, role assignment and added the user.

    When the user logs in via ECP they can view all the mailboxes (they can only amend mailboxes specified in my scope, so that bits working). I need to restrict the user to only see mailboxes he has permissions to edit.

    The commands I used were as follows:

    New-RoleGroup "Help Desk" -RecipientOrganizationalUnitScope "MyDomain.local/MyOrgUnit" -Roles "Mail Recipients"

    Set-ManagementRoleAssignment "Mail Recipients-Help Desk" -RecipientOrganizationalUnitScope "MyDomain.local/MyOrgUnit"

    New-ManagementScope -Name "Help Desk Scope" -RecipientRoot "MyDomain.local/MyOrgUnit" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox “}

    Set-ManagementRoleAssignment "Mail Recipients-Help Desk" -CustomRecipientWriteScope "Help Desk Scope"

    I then added the user to the role group using the ECP.

    Any suggestions into what i'm doing wrong?

    Many Thanks
    Monday, July 18, 2011 4:00 PM

Answers

  • Hi

    Per my know, The RecipientOrganizationalUnitScope parameter specifies the organizational unit (OU) scope added to the role assignments created when the role group is created. If you use the RecipientOrganizationalUnitScope parameter, you can't use the CustomRecipientWriteScope parameter. To specify an OU, use the syntax: domain/ou.
    So, please chose one of them.

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click“Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    • Marked as answer by Gavin-Zhang Saturday, July 30, 2011 1:34 PM
    Thursday, July 21, 2011 9:43 AM
  • Hi RobDPS,

    If you want to use the RBAC to achieve the target that not allowing the helpdesk to view the other mailboxes, per my know, it is impossible.

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click“Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    • Marked as answer by Gavin-Zhang Saturday, July 30, 2011 1:34 PM
    Monday, July 25, 2011 4:20 AM

All replies

  • Could you please try this command

     

    New-ManagementScope -Name "Help Desk Scope" -RecipientRoot "MyDomain.local/MyOrgUnit" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox “}

     

    1) $rg = get-rolegroup "Recipient management"

    2) New-RoleGroup "Help Desk" -RecipientOrganizationalUnitScope "MyDomain.local/MyOrgUnit" -Roles $rg.roles -CustomRecipientWriteScope "Help Desk Scope"

    3) add-rolegroupmember "Help Desk" -member "admin user"


    Thanks Joseph Pradeep
    Monday, July 18, 2011 9:46 PM
  • Thanks for the reply but when I run the New-RoleGroup command I get the following error:

    The arguments 'CustomRecipientWriteScope' and 'RecipientOrganizationalUnitScope' are mtually exclusive.  Use one or the other.

    Tuesday, July 19, 2011 10:48 AM
  • 2) New-RoleGroup "Help Desk" -RecipientOrganizationalUnitScope "MyDomain.local/MyOrgUnit" -Roles $rg.roles -CustomConfigWriteScope "Help Desk Scope"


    Thanks Joseph Pradeep
    Tuesday, July 19, 2011 2:01 PM
  • Hi

    Per my know, The RecipientOrganizationalUnitScope parameter specifies the organizational unit (OU) scope added to the role assignments created when the role group is created. If you use the RecipientOrganizationalUnitScope parameter, you can't use the CustomRecipientWriteScope parameter. To specify an OU, use the syntax: domain/ou.
    So, please chose one of them.

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click“Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    • Marked as answer by Gavin-Zhang Saturday, July 30, 2011 1:34 PM
    Thursday, July 21, 2011 9:43 AM
  • Thanks for the replys, using either command makes no difference - the help desk user can view all mailboxes.

    The permissons side of things is working, they can only amend details for users in the specified OU but I need to be able to hide all the other mailboxes from view.

    Friday, July 22, 2011 9:47 AM
  • Hi RobDPS,

    If you want to use the RBAC to achieve the target that not allowing the helpdesk to view the other mailboxes, per my know, it is impossible.

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttngfb@microsoft.com
    Please remember to click “Mark as Answer” on the post that helps you, and to click“Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    • Marked as answer by Gavin-Zhang Saturday, July 30, 2011 1:34 PM
    Monday, July 25, 2011 4:20 AM