Hello, our Helpdesk users should be able to modify the GAL using ECP. I have set up a custom Role/Group and assigned the Helpdesk users to it. They are able to modify the user properties but when they click on "Save" they get the following error : Recipient “internal.domain.com/UK/Users/Alan Smith” couldn’t be read from domain controller “UK-DC1.internal.domain.com”. This may be due to replication delays. Switching out of Forest mode should allow this operation to complete successfully. Doing the same with a "Organisation Management" User is successful. Servers are Exchange 2010, No SP, Rollup 4. Installing SP1 is no option as we have compatibility issues with other software. Any idea? Regards Matthias

Hi Matthias, Do you want your helpdesk to modify mailboxes(groups, contacts) in the manage My Organization->users& Groups? It's better if you can tell which custom Role you created and how? Please run the cmdlet Get-ManagementRoleAssignment -RoleAssignee "helpdesk user" | ft name,role and post the results here. Did the helpdesk users try to modify users using EMC? Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Frank, Yes, i want them to manage them using ESP->My Organisation->Mailboxes. I can't really remember which commands i issued, but the problem is that the helpdesk is able to change the properties the users (the fields are not grayed out), but the get this error message. This is putput: [PS] C:\Windows\system32>Get-ManagementRoleAssignment -RoleAssignee "username" | fl name, role Name : GAL-GAL Management Role : GAL Name : MyBaseOptions-Default Role Assignment Policy Role : MyBaseOptions Name : MyContactInformation-Default Role Assignment Policy Role : MyContactInformation Name : MyVoiceMail-Default Role Assignment Policy Role : MyVoiceMail Name : MyTextMessaging-Default Role Assignment Policy Role : MyTextMessaging Name : MyDistributionGroupMembership-Default Role Assignment Policy Role : MyDistributionGroupMembership No, we haven't tried this yet. Regards Matthias

Tried usinf EMC and got this error: Set-User failed The Operation couldn't be performed because object 'internal.domain.com/UK/Users/Alan Smith' couldn’t be found on domain controller “UK-DC1.internal.domain.com”. However, the OU exists and the user too (for weeks). Regards Matthias

Hi Matthias, Please run the 1, Get-ManagementRoleAssignment "GAL-GAL Management" | fl 2, Get-ManagementRole GAL | fl name,roletype,*scope,*role 3, Get-ManagementRoleEntry "GAL\*" and post the results here. By the way, if you want to modify the properties of users(Set-User), you should create a custom role based on "Mail Recipients" Role. Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Frank 1: [PS] C:\>Get-ManagementRoleAssignment "GAL-GAL Management" | fl RunspaceId : 1c6e4a67-77ba-450c-85f2-738380a461c9 User : domain.com/Microsoft Exchange Security Groups/GAL Management AssignmentMethod : Direct Identity : GAL-GAL Management EffectiveUserName : All Group Members AssignmentChain : RoleAssigneeType : RoleGroup RoleAssignee : domain.com/Microsoft Exchange Security Groups/GAL Management Role : GAL RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : Organization ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : GAL Management IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : GAL-GAL Management DistinguishedName : CN=GAL-TCC GAL Management,CN=Role Assignments,CN=RBAC,CN=DOMAIN,CN=Microsoft Exch ange,CN=Services,CN=Configuration,DC=domain,DC=com Guid : 61142e66-d01a-4fc8-9e64-a05c5eaba930 ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 12/10/2010 12:32:22 PM WhenCreated : 12/10/2010 12:32:01 PM WhenChangedUTC : 12/10/2010 11:32:22 AM WhenCreatedUTC : 12/10/2010 11:32:01 AM OrganizationId : OriginatingServer : DE-DC2.internal.domain.com 2: [PS] C:\>Get-ManagementRole GAL | fl name,roletype,*scope,*role Name : GAL RoleType : MailRecipients ImplicitRecipientReadScope : Organization ImplicitRecipientWriteScope : Organization ImplicitConfigReadScope : OrganizationConfig ImplicitConfigWriteScope : OrganizationConfig IsRootRole : False IsEndUserRole : False 3: [PS] C:\>Get-ManagementRoleEntry "GAL\*" Name Role Parameters ---- ---- ---------- Set-User GAL {City, Company, Confirm, CountryOrRegion, Debug, Department... Get-CASMailbox GAL {Anr, Credential, Debug, DomainController, ErrorAction, Err... Get-Contact GAL {Anr, Credential, Debug, DomainController, ErrorAction, Err... Get-DomainController GAL {Credential, Debug, DomainName, ErrorAction, ErrorVariable,... Get-MailContact GAL {Anr, Credential, Debug, DomainController, ErrorAction, Err... Get-MailUser GAL {Anr, Credential, Debug, DomainController, ErrorAction, Err... Get-Mailbox GAL {Anr, Credential, Debug, DomainController, ErrorAction, Err... Get-MailboxDatabase GAL {Debug, DomainController, DumpsterStatistics, ErrorAction, ... Get-MailboxRegionalConfigur... GAL {Debug, DomainController, ErrorAction, ErrorVariable, Ident... Get-ManagementRoleAssignment GAL {AssignmentMethod, ConfigScopeRestriction, ConfigScopeRestr... Get-MessageCategory GAL {Debug, DomainController, ErrorAction, ErrorVariable, Ident... Get-MessageClassification GAL {Debug, DomainController, ErrorAction, ErrorVariable, Ident... Get-OfflineAddressBook GAL {Debug, DomainController, ErrorAction, ErrorVariable, Ident... Get-OrganizationalUnit GAL {Debug, DomainController, ErrorAction, ErrorVariable, Ident... Get-PhysicalAvailabilityReport GAL {DailyStatistics, Database, Debug, DomainController, EndDat... Get-Recipient GAL {Anr, BookmarkDisplayName, ErrorAction, ErrorVariable, Filt... Get-ResourceConfig GAL {Debug, DomainController, ErrorAction, ErrorVariable, Ident... Get-RoleAssignmentPolicy GAL {Debug, DomainController, ErrorAction, ErrorVariable, Ident... Get-SecurityPrincipal GAL {Debug, DomainController, ErrorAction, ErrorVariable, Filte... Get-ServiceAvailabilityReport GAL {DailyStatistics, Debug, DomainController, EndDate, ErrorAc... Get-ServiceStatus GAL {Debug, DomainController, ErrorAction, ErrorVariable, Maint... Get-TextMessagingAccount GAL {Credential, Debug, DomainController, ErrorAction, ErrorVar... Get-Trust GAL {Debug, DomainName, ErrorAction, ErrorVariable, OutBuffer, ... Get-User GAL {Anr, Credential, Debug, DomainController, ErrorAction, Err... Get-UserPrincipalNamesSuffix GAL {Debug, ErrorAction, ErrorVariable, OrganizationalUnit, Out... Set-MailUser GAL {AcceptMessagesOnlyFrom, AcceptMessagesOnlyFromDLMembers, A... I created a custom role based on Mail Recients. Thank you for your help! Regards Matthias

Looks like ManagementRole "GAL" has Set-User added. What are you trying to modify actually in the GAL of the user and check if that is added in Set-User. The Scope and the Management Role looks good. Now only question is what are you trying to modify??

Hi Matthias, I test it in my lab. I create a same custom role with Role Entry as yours. And it works. From the output of Get-ManagementRoleEntry "GAL\*": Set-User GAL {City, Company, Confirm, CountryOrRegion, Debug, Department... Seems like you also deleted some parameters of the RoleEntry "GAL\Set-User". Please run the (Get-ManagementRoleEntry "GAL\Set-User").parameters to see which parameters you deleted. Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Frank, Your lab is on SP1 ? Sure, i deleted some entries because we do not want our helpdesk to edit all properties. This is the output: City Company Confirm CountryOrRegion Debug Department DomainController ErrorAction ErrorVariable Fax HomePhone IgnoreDefaultScope Manager MobilePhone Notes Office OtherFax OtherHomePhone OtherTelephone OutBuffer OutVariable Pager Phone PhoneticDisplayName PostalCode PostOfficeBox RemotePowerShellEnabled ResetPasswordOnNextLogon SamAccountName SimpleDisplayName StateOrProvince StreetAddress TelephoneAssistant Title UserPrincipalName Verbose WarningAction WarningVariable WebPage WhatIf WindowsEmailAddress @Harisha: We want the Helpdesk to modify things like City, Stree, Phone # and modifing these are causing the error message ... Regards Matthias

No, Exchange 2010 Rollup 4. Same as yours :)Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Matthias, Please add the parameter Identity to the RoleEntry: Set-ManagementRoleEntry "GAL\Set-User" -Parameters Identity -AddParameter Details: Set-ManagementRoleEntry http://technet.microsoft.com/en-us/library/dd351162(EXCHG.140).aspx Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Matthias, Any updates on your issue?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello Frank, this was the answer. After setting the Identity parameter all is ok! Thank you! Regards Matthias