Problems with RBAC scopes
Hi, I have created an custom role and used “Mail Recipients” as the parent role. I have assigned a write scope for this role to "domain.internal/office1/Users", everything works fine, people assigned this role can manage users and set “Manage
Full Access Permissions”.
The problem is that the same admin group that have been assigned the custom “Mail Recipients” role can also modify “Manage Full Access Permissions” outside the scope for example users under "domain.internal/office2/Users" or "domain.internal/office3/Users".
That’s not my intention and that’s why I assigned a specific write scope for the custom “Mail Recipients” role.
Anyone who can help why my write scope don’t apply? Does this have something to do with transition from Exchange 2007?
We are using one Exchange 2010 SP1 (Transitioned from Exchange 2007) in single domain environment.
Regicide
March 2nd, 2011 6:48pm
Hi Regicide,
"people assigned this role" ,"the same admin group "
Did you assign the custom Role to the user or Role Group?
The permission of people is as expected(people can only manage the users in office1)?
Please run the following cmdlets and post the results here.
Get-ManagementRoleAssignment -RoleAssignee "people"
Get-ManagementRoleAssignment -Role "custom role name" | fl
Get-ManagementScope "write scope" | flPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2011 4:20am
Hi Frank,
Get-ManagementRoleAssignment -RoleAssignee "people"
Get-ManagementRoleAssignment -RoleAssignee "aadam4" | fl
RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484
User : congrex.internal/Congrex Group/Users/Admins/aadam4
AssignmentMethod : Direct
Identity : Public_Folders_MailRecipientsAssigment
EffectiveUserName : aadam4
AssignmentChain :
RoleAssigneeType : User
RoleAssignee : congrex.internal/Congrex Group/Users/Admins/aadam4
Role : Public_Folders_MailRecipients
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope : Public_Folders_MailRecipients_Scope
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope : CustomRecipientScope
ConfigWriteScope : OrganizationConfig
Enabled : True
RoleAssigneeName : aadam4
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : Public_Folders_MailRecipientsAssigment
DistinguishedName : CN=Public_Folders_MailRecipientsAssigment,CN=Role Assignments,CN=RBAC,CN=Congrex Group,C
N=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=internal
Guid : 9b078c20-a35c-4875-b376-ec16b4d87174
ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass : {top, msExchRoleAssignment}
WhenChanged : 3/1/2011 3:13:08 PM
WhenCreated : 3/1/2011 3:13:08 PM
WhenChangedUTC : 3/1/2011 2:13:08 PM
WhenCreatedUTC : 3/1/2011 2:13:08 PM
OrganizationId :
OriginatingServer : CEN-SV-DC-02.congrex.internal
RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484
User : congrex.internal/Congrex Group/Users/Admins/aadam4
AssignmentMethod : RoleGroup
Identity : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment
EffectiveUserName : All Group Members
AssignmentChain :
RoleAssigneeType : RoleGroup
RoleAssignee : congrex.internal/Microsoft Exchange Security Groups/ITAMs_Public_Folder_Managment
Role : Public_Folders_MailRecipients
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope : congrex.internal/Congrex Group/Users_Projects
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope : OU
ConfigWriteScope : OrganizationConfig
Enabled : True
RoleAssigneeName : ITAMs_Public_Folder_Managment
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment
DistinguishedName : CN=Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment,CN=Role Assignments,CN=RB
AC,CN=Congrex Group,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=int
ernal
Guid : 37ab6d85-d712-4a78-a06f-e8249b4755d7
ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass : {top, msExchRoleAssignment}
WhenChanged : 3/1/2011 12:22:53 PM
WhenCreated : 3/1/2011 12:22:38 PM
WhenChangedUTC : 3/1/2011 11:22:53 AM
WhenCreatedUTC : 3/1/2011 11:22:38 AM
OrganizationId :
OriginatingServer : CEN-SV-DC-02.congrex.internal
Get-ManagementRoleAssignment -Role "custom role name" | fl
Get-ManagementRoleAssignment -Role "Public_Folders_MailRecipients" | fl
RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484
User : congrex.internal/Microsoft Exchange Security Groups/ITAMs_Public_Folder_Managment
AssignmentMethod : Direct
Identity : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment
EffectiveUserName : All Group Members
AssignmentChain :
RoleAssigneeType : RoleGroup
RoleAssignee : congrex.internal/Microsoft Exchange Security Groups/ITAMs_Public_Folder_Managment
Role : Public_Folders_MailRecipients
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope : congrex.internal/Congrex Group/Users_Projects
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope : OU
ConfigWriteScope : OrganizationConfig
Enabled : True
RoleAssigneeName : ITAMs_Public_Folder_Managment
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment
DistinguishedName : CN=Public_Folders_MailRecipients-ITAMs_Public_Folder_Managment,CN=Role Assignments,CN=RB
AC,CN=Congrex Group,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=int
ernal
Guid : 37ab6d85-d712-4a78-a06f-e8249b4755d7
ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass : {top, msExchRoleAssignment}
WhenChanged : 3/1/2011 12:22:53 PM
WhenCreated : 3/1/2011 12:22:38 PM
WhenChangedUTC : 3/1/2011 11:22:53 AM
WhenCreatedUTC : 3/1/2011 11:22:38 AM
OrganizationId :
OriginatingServer : CEN-SV-DC-02.congrex.internal
RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484
User : congrex.internal/Congrex Group/Users/Admins/aadam4
AssignmentMethod : Direct
Identity : Public_Folders_MailRecipientsAssigment
EffectiveUserName : aadam4
AssignmentChain :
RoleAssigneeType : User
RoleAssignee : congrex.internal/Congrex Group/Users/Admins/aadam4
Role : Public_Folders_MailRecipients
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope : Public_Folders_MailRecipients_Scope
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope : CustomRecipientScope
ConfigWriteScope : OrganizationConfig
Enabled : True
RoleAssigneeName : aadam4
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : Public_Folders_MailRecipientsAssigment
DistinguishedName : CN=Public_Folders_MailRecipientsAssigment,CN=Role Assignments,CN=RBAC,CN=Congrex Group,C
N=Microsoft Exchange,CN=Services,CN=Configuration,DC=congrex,DC=internal
Guid : 9b078c20-a35c-4875-b376-ec16b4d87174
ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass : {top, msExchRoleAssignment}
WhenChanged : 3/1/2011 3:13:08 PM
WhenCreated : 3/1/2011 3:13:08 PM
WhenChangedUTC : 3/1/2011 2:13:08 PM
WhenCreatedUTC : 3/1/2011 2:13:08 PM
OrganizationId :
OriginatingServer : CEN-SV-DC-02.congrex.internal
Get-ManagementScope "write scope" | fl
Get-ManagementScope | fl
RunspaceId : b7a8ff20-fd78-47ff-a8a1-28877e499484
RecipientRoot : congrex.internal/Congrex Group/Users_Projects
RecipientFilter : RecipientType -eq 'UserMailbox'
ServerFilter :
DatabaseFilter :
TenantOrganizationFilter :
ScopeRestrictionType : RecipientScope
Exclusive : False
AdminDisplayName :
ExchangeVersion : 1.10 (14.1.90.0)
Name : Public_Folders_MailRecipients_Scope
DistinguishedName : CN=Public_Folders_MailRecipients_Scope,CN=Scopes,CN=RBAC,CN=Congrex Group,CN=Microsoft Excha
nge,CN=Services,CN=Configuration,DC=congrex,DC=internal
Identity : Public_Folders_MailRecipients_Scope
Guid : 7b0e704d-6dc9-4ded-a41c-cf353f405c85
ObjectCategory : congrex.internal/Configuration/Schema/ms-Exch-Scope
ObjectClass : {top, msExchScope}
WhenChanged : 3/1/2011 3:12:20 PM
WhenCreated : 3/1/2011 3:12:20 PM
WhenChangedUTC : 3/1/2011 2:12:20 PM
WhenCreatedUTC : 3/1/2011 2:12:20 PM
OrganizationId :
OriginatingServer : CEN-SV-DC-02.congrex.internal
IsValid : TrueRegicide
March 4th, 2011 5:48am
Hi Regicide,
According to your output, seems like there is no issue.
You assigned the Public_Folders_MailRecipients Role to
aadam4 with custom scope directly and ITAMs_Public_Folder_Managment Role group with OU scope.
From your posted question, I guess the aadam4 can manage users correctly, but not the Role group, right?
Since the aadam4 is also a member of Role group, I would suggest you remove it from directly assignment to narrow down the issue.
By the way, did you create the Role Group with RecipientOrganizationalUnitScope as following topic listed:
Create a Role Group
http://technet.microsoft.com/en-us/library/dd638209.aspx
(At last, I just wonder why you give the name Public_Folders to the custom Role...)Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2011 3:23am
Hi Frank, thanks for all help so far and sorry for my stuid naming ;)
But here let me show you how I created the RBAC assigment, I redid the RBAC with new names.
1. New-ManagementRole -Parent "Mail Recipients" -Name "Project_Mailbox_ManagementRole"
2. New-RoleGroup "Project_Mailbox_Rolegroup" –Roles "Project_Mailbox_ManagementRole" –Members "aadam4" –ManagedBy "aadam" –Description "This group can manage full mailbox permission on all Project Mailboxes" –RecipientOrganizationalUnitScope
"congrex.internal/Congrex Group/Users_Projects"
3. New-ManagementScope –Name "Project_Mailbox_ManagementScope" –RecipientRoot "congrex.internal/Congrex Group/Users_Projects" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}
4. New-ManagementRoleAssignment -Name "Project_Mailbox_ManagementRoleAssignment" -Role "Project_Mailbox_ManagementRole" -User aadam4 –CustomRecipientWriteScope “Project_Mailbox_ManagementScope”
With "aadam4" account i can now set “Manage Full Access Permissions” in "congrex.internal/Congrex Group/Users_Projects" but also outside this the scope I restricted like "congrex.internal/Congrex Group/Users"
I also tried to remove "aadam4" account from "Project_Mailbox_Rolegroup" as your sugestion, but i can still set “Manage Full Access
Permissions” in "congrex.internal/Congrex Group/Users_Projects" OU where i should be able to set permissions but i can also set permissions on "congrex.internal/Congrex Group/Users" where I should not be able to set.Regicide
March 7th, 2011 9:58am
Hi Regicide,
If you want to manage uses within an OU scope, the first 2 cmdlets are enough. And assign role directly to user is an advanced task, you rarely need to do that.
So could you please add a new test user(e.g. aadam5) to the "Project_Mailbox_Rolegroup" Role group to test?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2011 9:56pm
Hi Frank,
I created a new user "aadam6" and just added that user to "Project_Mailbox_Rolegroup". But with same results i can still set "Manage Full Access Permissions" outside my write scope "congrex.internal/Congrex Group/Users_Projects".
I have created two screenshots where you can review the results:
http://www.4shared.com/photo/uiBroR3R/Exchange-1.html
http://www.4shared.com/photo/IB7bsZZS/Exchange-2.html
Regicide
March 8th, 2011 3:34am
Hi Frank,
I created a new user "aadam6" and just added that user to "Project_Mailbox_Rolegroup". But with same results i can still set "Manage Full Access Permissions" outside my write scope "congrex.internal/Congrex Group/Users_Projects".
I have created two screenshots where you can review the results http://www.filemail.com/dl.aspx?id=JNQAPDBSIILILETRegicide
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2011 3:34am
Hi Regicide,
Could you please run the Exbpa in the Toolbox to do a "Permission Check"?
Please also run the setup /PrepareAD again:
Prepare Active Directory and Domains
http://technet.microsoft.com/en-us/library/bb125224.aspx
The reason is "Congrex\Excchange Trusted Subsystem" security group should be listed in the permission list.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 8th, 2011 9:29pm
Looks like this was fixed in 2010 SP1 Update Rollup 3, which came out today. See
http://support.microsoft.com/kb/2410571
Info about all of UR3: http://support.microsoft.com/kb/2492690
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2011 10:16pm
Hi cn9,
Thanks, I will do the update as soon I get the opportunity and get back if it works. But I wonder how can this error even exist when MS implements a new granularly
permission model with RBAC.Regicide
March 9th, 2011 3:02am
Hi Frank,
I ran a “Permission Check” with Exbpa and found no errors. On all my mailbox user object I have the following permissions set:
Congrex\Exchange Servers
Congrex\Exchange Trusted Subsystem
NT AUTHORITY\SELF
NT AUTHORITY\SYSTEM
The reason you didn’t see that in my screenshot is because I manually remove all permissions beside “NT AUTHORITY\SELF”
just for testing purpose, but that did not make any difference and I changed it back, sorry for confusing you.
Here is a screenshot how permission looks on all mailbox objects in our domain
http://www.4shared.com/photo/1uzaeSs5/Exchange-3.html
But I´m very interested if cn9 tips about rollup 3 will fix my issue, I promise to get back both of you.Regicide
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 4:21am
Hi cn9,
Thanks, I will do the update as soon I get the opportunity and get back if it works. But I wonder how can this error even exist when MS implements a new granularly
permission model with RBAC.
Regicide
As the kb article states, the action was proceeding without actually checking the scope through RBAC. (Which is kind of unsettling...)
March 9th, 2011 10:02am
Yeah that my point, very unsettling. But I´m happy that MS found the problem!Regicide
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2011 10:42am
Hi Regicide,
Any updates?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 13th, 2011 9:21pm
Hi Frank,
Sorry after installing the RU3 update and restarting the server I can still manage user outside my scope. I even removed the management Role and Role Group and recreated
them from start, but I still have the issue where I can set "Manage Full Access Permissions" outside my write scope.
I created the ManagementRole and Rolgroup with the following commands
1. New-ManagementRole -Parent "Mail Recipients" -Name "Project_Mailbox_ManagementRole"
2. New-RoleGroup "Project_Mailbox_Rolegroup" –Roles "Project_Mailbox_ManagementRole" –Members "aadam6" –ManagedBy "aadam" –Description "This group can manage full mailbox permission on all Project Mailboxes" –RecipientOrganizationalUnitScope
"congrex.internal/Congrex Group/Users_Projects"
Regicide
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2011 4:12am
The account you are using to test isn't a member of any other role groups, right? Can they do other things to the objects in other OUs, for example deleting mailboxes, mail-enabling accounts etc? Or is it only the 'full mailbox access' stuff that is
leaking through?
March 14th, 2011 5:42pm
Hi cn9,
I can´t enable, disable or remove any accounts outside my scope. I can only set "Manage Full Access Permissions".
In the end I will also need to manage "Manage Send As Permission" to the same scope, but when I add the "Active Directory Permissions" to the same role group "Project_Mailbox_Rolegroup". I can also then set "Manage Send As Permission" outside my scope.Regicide
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2011 4:20am
The accout I´m using to test is only member of one Role Group "Project_Mailbox_Rolegroup"Regicide
March 15th, 2011 5:12am
Any new ideas, can't get this working?Regicide
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2011 6:36am
Hi Frank,
Anyone from Microsoft that would be interested to solve this issue?
From my perspective permission problems is quite a critical issue?Regicide
March 23rd, 2011 3:49am