Hi, I have created an custom role and used “Mail Recipients” as the parent role. I have assigned a write scope for this role to "domain.internal/office1/Users", everything works fine, people assigned this role can manage users and set “Manage Full Access Permissions”. The problem is that the same admin group that have been assigned the custom “Mail Recipients” role can also modify “Manage Full Access Permissions” outside the scope for example users under "domain.internal/office2/Users" or "domain.internal/office3/Users". That’s not my intention and that’s why I assigned a specific write scope for the custom “Mail Recipients” role. Anyone who can help why my write scope don’t apply? Does this have something to do with transition from Exchange 2007? We are using one Exchange 2010 SP1 (Transitioned from Exchange 2007) in single domain environment. Regicide

Hi Frank, Get-ManagementRoleAssignment -RoleAssignee "people" Get-ManagementRoleAssignment -RoleAssignee "aadam4" | fl RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 User : congrex.internal/Congrex Group/Users/Admins/aadam4 AssignmentMethod : Direct Identity : Public_Folders_MailRecipientsAssigment EffectiveUserName : aadam4 AssignmentChain : RoleAssigneeType : User RoleAssignee : congrex.internal/Congrex Group/Users/Admins/aadam4 Role : Public_Folders_MailRecipients RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : Public_Folders_MailRecipients_Scope CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : CustomRecipientScope ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : aadam4 IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Public_Folders_MailRecipientsAssigment DistinguishedName : CN=Public_Folders_MailRecipientsAssigment,CN=Role Assignments,CN=RBAC,CN=Congrex Group,C N=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=internal Guid : 9b078c20-a35c-4875-b376-ec16b4d87174 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 3/1/2011 3:13:08 PM WhenCreated : 3/1/2011 3:13:08 PM WhenChangedUTC : 3/1/2011 2:13:08 PM WhenCreatedUTC : 3/1/2011 2:13:08 PM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 User : congrex.internal/Congrex Group/Users/Admins/aadam4 AssignmentMethod : RoleGroup Identity : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment EffectiveUserName : All Group Members AssignmentChain : RoleAssigneeType : RoleGroup RoleAssignee : congrex.internal/Microsoft Exchange Security Groups/ITAMs_Public_Folder_Managment Role : Public_Folders_MailRecipients RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : congrex.internal/Congrex Group/Users_Projects CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : OU ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : ITAMs_Public_Folder_Managment IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment DistinguishedName : CN=Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment,CN=Role Assignments,CN=RB AC,CN=Congrex Group,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=int ernal Guid : 37ab6d85-d712-4a78-a06f-e8249b4755d7 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 3/1/2011 12:22:53 PM WhenCreated : 3/1/2011 12:22:38 PM WhenChangedUTC : 3/1/2011 11:22:53 AM WhenCreatedUTC : 3/1/2011 11:22:38 AM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal Get-ManagementRoleAssignment -Role "custom role name" | fl Get-ManagementRoleAssignment -Role "Public_Folders_MailRecipients" | fl RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 User : congrex.internal/Microsoft Exchange Security Groups/ITAMs_Public_Folder_Managment AssignmentMethod : Direct Identity : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment EffectiveUserName : All Group Members AssignmentChain : RoleAssigneeType : RoleGroup RoleAssignee : congrex.internal/Microsoft Exchange Security Groups/ITAMs_Public_Folder_Managment Role : Public_Folders_MailRecipients RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : congrex.internal/Congrex Group/Users_Projects CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : OU ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : ITAMs_Public_Folder_Managment IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment DistinguishedName : CN=Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment,CN=Role Assignments,CN=RB AC,CN=Congrex Group,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=int ernal Guid : 37ab6d85-d712-4a78-a06f-e8249b4755d7 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 3/1/2011 12:22:53 PM WhenCreated : 3/1/2011 12:22:38 PM WhenChangedUTC : 3/1/2011 11:22:53 AM WhenCreatedUTC : 3/1/2011 11:22:38 AM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 User : congrex.internal/Congrex Group/Users/Admins/aadam4 AssignmentMethod : Direct Identity : Public_Folders_MailRecipientsAssigment EffectiveUserName : aadam4 AssignmentChain : RoleAssigneeType : User RoleAssignee : congrex.internal/Congrex Group/Users/Admins/aadam4 Role : Public_Folders_MailRecipients RoleAssignmentDelegationType : Regular CustomRecipientWriteScope : Public_Folders_MailRecipients_Scope CustomConfigWriteScope : RecipientReadScope : Organization ConfigReadScope : OrganizationConfig RecipientWriteScope : CustomRecipientScope ConfigWriteScope : OrganizationConfig Enabled : True RoleAssigneeName : aadam4 IsValid : True ExchangeVersion : 0.11 (14.0.550.0) Name : Public_Folders_MailRecipientsAssigment DistinguishedName : CN=Public_Folders_MailRecipientsAssigment,CN=Role Assignments,CN=RBAC,CN=Congrex Group,C N=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=internal Guid : 9b078c20-a35c-4875-b376-ec16b4d87174 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment ObjectClass : {top, msExchRoleAssignment} WhenChanged : 3/1/2011 3:13:08 PM WhenCreated : 3/1/2011 3:13:08 PM WhenChangedUTC : 3/1/2011 2:13:08 PM WhenCreatedUTC : 3/1/2011 2:13:08 PM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal Get-ManagementScope "write scope" | fl Get-ManagementScope | fl RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484 RecipientRoot : congrex.internal/Congrex Group/Users_Projects RecipientFilter : RecipientType -eq 'UserMailbox' ServerFilter : DatabaseFilter : TenantOrganizationFilter : ScopeRestrictionType : RecipientScope Exclusive : False AdminDisplayName : ExchangeVersion : 1.10 (14.1.90.0) Name : Public_Folders_MailRecipients_Scope DistinguishedName : CN=Public_Folders_MailRecipients_Scope,CN=Scopes,CN=RBAC,CN=Congrex Group,CN=Microsoft Excha nge,CN=Services,CN=Configuration,DC=congrex,DC=internal Identity : Public_Folders_MailRecipients_Scope Guid : 7b0e704d-6dc9-4ded-a41c-cf353f405c85 ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Scope ObjectClass : {top, msExchScope} WhenChanged : 3/1/2011 3:12:20 PM WhenCreated : 3/1/2011 3:12:20 PM WhenChangedUTC : 3/1/2011 2:12:20 PM WhenCreatedUTC : 3/1/2011 2:12:20 PM OrganizationId : OriginatingServer : CEN-SV-DC-02.congrex.internal IsValid : TrueRegicide

Hi Frank, thanks for all help so far and sorry for my stuid naming ;) But here let me show you how I created the RBAC assigment, I redid the RBAC with new names. 1. New-ManagementRole -Parent "Mail Recipients" -Name "Project_Mailbox_ManagementRole" 2. New-RoleGroup "Project_Mailbox_Rolegroup" –Roles "Project_Mailbox_ManagementRole" –Members "aadam4" –ManagedBy "aadam" –Description "This group can manage full mailbox permission on all Project Mailboxes" –RecipientOrganizationalUnitScope "congrex.internal/Congrex Group/Users_Projects" 3. New-ManagementScope –Name "Project_Mailbox_ManagementScope" –RecipientRoot "congrex.internal/Congrex Group/Users_Projects" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} 4. New-ManagementRoleAssignment -Name "Project_Mailbox_ManagementRoleAssignment" -Role "Project_Mailbox_ManagementRole" -User aadam4 –CustomRecipientWriteScope “Project_Mailbox_ManagementScope” With "aadam4" account i can now set “Manage Full Access Permissions” in "congrex.internal/Congrex Group/Users_Projects" but also outside this the scope I restricted like "congrex.internal/Congrex Group/Users" I also tried to remove "aadam4" account from "Project_Mailbox_Rolegroup" as your sugestion, but i can still set “Manage Full Access Permissions” in "congrex.internal/Congrex Group/Users_Projects" OU where i should be able to set permissions but i can also set permissions on "congrex.internal/Congrex Group/Users" where I should not be able to set.Regicide

Hi Frank, I created a new user "aadam6" and just added that user to "Project_Mailbox_Rolegroup". But with same results i can still set "Manage Full Access Permissions" outside my write scope "congrex.internal/Congrex Group/Users_Projects". I have created two screenshots where you can review the results: http://www.4shared.com/photo/uiBroR3R/Exchange-1.html http://www.4shared.com/photo/IB7bsZZS/Exchange-2.html Regicide

Hi cn9, Thanks, I will do the update as soon I get the opportunity and get back if it works. But I wonder how can this error even exist when MS implements a new granularly permission model with RBAC.Regicide

Hi Frank, I ran a “Permission Check” with Exbpa and found no errors. On all my mailbox user object I have the following permissions set: Congrex\Exchange Servers Congrex\Exchange Trusted Subsystem NT AUTHORITY\SELF NT AUTHORITY\SYSTEM The reason you didn’t see that in my screenshot is because I manually remove all permissions beside “NT AUTHORITY\SELF” just for testing purpose, but that did not make any difference and I changed it back, sorry for confusing you. Here is a screenshot how permission looks on all mailbox objects in our domain http://www.4shared.com/photo/1uzaeSs5/Exchange-3.html But I´m very interested if cn9 tips about rollup 3 will fix my issue, I promise to get back both of you.Regicide

Yeah that my point, very unsettling. But I´m happy that MS found the problem!Regicide

Hi Frank, Sorry after installing the RU3 update and restarting the server I can still manage user outside my scope. I even removed the management Role and Role Group and recreated them from start, but I still have the issue where I can set "Manage Full Access Permissions" outside my write scope. I created the ManagementRole and Rolgroup with the following commands 1. New-ManagementRole -Parent "Mail Recipients" -Name "Project_Mailbox_ManagementRole" 2. New-RoleGroup "Project_Mailbox_Rolegroup" –Roles "Project_Mailbox_ManagementRole" –Members "aadam6" –ManagedBy "aadam" –Description "This group can manage full mailbox permission on all Project Mailboxes" –RecipientOrganizationalUnitScope "congrex.internal/Congrex Group/Users_Projects" Regicide

Hi cn9, I can´t enable, disable or remove any accounts outside my scope. I can only set "Manage Full Access Permissions". In the end I will also need to manage "Manage Send As Permission" to the same scope, but when I add the "Active Directory Permissions" to the same role group "Project_Mailbox_Rolegroup". I can also then set "Manage Send As Permission" outside my scope.Regicide

The accout I´m using to test is only member of one Role Group "Project_Mailbox_Rolegroup"Regicide

Any new ideas, can't get this working?Regicide

Hi Frank, Anyone from Microsoft that would be interested to solve this issue? From my perspective permission problems is quite a critical issue?Regicide

Hi guys, just to follow up with release of Update Rollup 3 (V3), after installation and restarting the server I still have problems where I can set permission outside my role assignment scope. Adam Bokiniec