RBAC Exclusive
I could use some help. I created "shown below" RBAC Scope and RoleAssignments. The purpose was to restricted only certain users access to create\add\move (manage) mailboxes on "Net Database".
When I created it, I tested it and it worked.. or At least I thought, I did. However, I was on vacation for a week, I come back and it doesn't work now. It give me the follow error.
Error:
Database 'NET Database' is not within the current user's management scope. 'Net Database' isn't within your current write scopes. Can't perform save operation..
SCOPE:
New-ManagementScope -Name "NET Mailbox Databases" -DatabaseList "NET Database" -Exclusive
New-ManagementScope -Name "NET Mailbox Recipients" -RecipientRoot "NET.Local/Products" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} -Exclusive
ROLE Asssignment:
New-ManagementRoleAssignment -Name "NET Databases Admins" -SecurityGroup "NET_MBX_Server_Admins" -Role "Databases" -ExclusiveConfigWriteScope "NET Mailbox Databases"
New-ManagementRoleAssignment -Name "NET Recipient Creation Admins" -Role "Mail Recipient Creation" -SecurityGroup "NET_MBX_Server_Admins" -ExclusiveRecipientWriteScope "NET Mailbox Recipients"
New-ManagementRoleAssignment -Name "NET Recipient Admins" -Role "Mail Recipients" -SecurityGroup "NET_MBX_Server_Admins" -ExclusiveRecipientWriteScope "NET Mailbox Recipients"
New-ManagementRoleAssignment -Name "NET Move Mailboxes Admins" -Role "Move Mailboxes" -SecurityGroup "NET_MBX_Server_Admins" -ExclusiveRecipientWriteScope "NET Mailbox Recipients"
Thank you
August 15th, 2012 8:18pm
it doesn't work now. It give me the follow error.
Hi Semperfi4000,
Do you mean all tasks(create\add\move) do not work? Please also check whether you can modify NET Database's properties: e.g. database quota limits, database maintenance, and so on.
Please create a new test admin account and add it to NET_MBX_Server_Admins, can the account do the tasks?Frank Wang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2012 2:48am
it doesn't work now. It give me the follow error.
Hi Semperfi4000,
Do you mean all tasks(create\add\move) do not work? Please also check whether you can modify NET Database's properties: e.g. database quota limits, database maintenance, and so on.
Please create a new test admin account and add it to NET_MBX_Server_Admins, can the account do the tasks?Frank Wang
TechNet Community Support
August 17th, 2012 2:49am
Looks like I got it working again. I needed the 2nd Scope "NET Mailbox Recpients", I am wondering if there is a way you can create a Role Group , with multipule roles, and add that to your ManagementRoleAssignment.
The way I have it now, each New-ManageRoleAssignment creates a new Security Group, just seems a bit messy.
New-ManagementScope -Name "NET Mailbox Databases" -DatabaseRestrictionFilter {Name -like "NET Database"} -Exclusive
New-ManagementScope -Name "NET Mailbox Recipients" -RecipientRoot "NET.LOCAL/Products" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} -Exclusive
New-ManagementRoleAssignment -Name "NET Mail Recipient Creation" -Role "Mail Recipient Creation" -SecurityGroup "NET_MBX_Server_Admins" -ExclusiveConfigWriteScope "NET Mailbox Databases"
New-ManagementRoleAssignment -Name "NET Mail Recipients" -Role "Mail Recipients" -SecurityGroup "NET_MBX_Server_Admins" -ExclusiveConfigWriteScope "NET Mailbox Databases"
New-ManagementRoleAssignment -Name "NET Move Mailboxes" -Role "Move Mailboxes" -SecurityGroup "NET_MBX_Server_Admins" -ExclusiveRecipientWriteScope "NET Mailbox Recipients"
New-RoleGroup -Name "NET Mail Recipient Creation" -Roles "Mail Recipient Creation"
New-RoleGroup -Name "NET Mail Recipients" -Roles "Mail Recipients"
New-RoleGroup -Name "NET Move Mailboxes" -Roles "Move Mailboxes"
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2012 11:06am
Looks like I got it working again. I needed the 2nd Scope "NET Mailbox Recpients", I am wondering if there is a way you can create a Role Group , with multipule roles, and add that to your ManagementRoleAssignment.
The way I have it now, each New-ManageRoleAssignment creates a new Security Group, just seems a bit messy.
New-ManagementScope -Name "NET Mailbox Databases" -DatabaseRestrictionFilter {Name -like "NET Database"} -Exclusive
New-ManagementScope -Name "NET Mailbox Recipients" -RecipientRoot "NET.LOCAL/Products" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} -Exclusive
New-ManagementRoleAssignment -Name "NET Mail Recipient Creation" -Role "Mail Recipient Creation" -SecurityGroup "NET_MBX_Server_Admins" -ExclusiveConfigWriteScope "NET Mailbox Databases"
New-ManagementRoleAssignment -Name "NET Mail Recipients" -Role "Mail Recipients" -SecurityGroup "NET_MBX_Server_Admins" -ExclusiveConfigWriteScope "NET Mailbox Databases"
New-ManagementRoleAssignment -Name "NET Move Mailboxes" -Role "Move Mailboxes" -SecurityGroup "NET_MBX_Server_Admins" -ExclusiveRecipientWriteScope "NET Mailbox Recipients"
New-RoleGroup -Name "NET Mail Recipient Creation" -Roles "Mail Recipient Creation"
New-RoleGroup -Name "NET Mail Recipients" -Roles "Mail Recipients"
New-RoleGroup -Name "NET Move Mailboxes" -Roles "Move Mailboxes"
August 17th, 2012 11:07am
Hi Semperfi4000,
The 3 New-ManagementRoleAssignment cmdlets are different with the ones in your question:
Please modify the scope as the following Technet said:
"Controlling which recipients a role assignee can manage is done using a recipient scope specified in the
CustomRecipientWriteScope parameter on the New-ManagementRoleAssignment or
Set-ManagementRoleAssignment cmdlet. Controlling which databases a mailbox can be created on or moved to is controlled using a database scope specified in the
CustomConfigurationWriteScope parameter on the same cmdlets."
Understanding Management Role Scopes
http://technet.microsoft.com/en-us/library/dd335146.aspxFrank Wang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
August 19th, 2012 11:08pm
Hi Semperfi4000,
The 3 New-ManagementRoleAssignment cmdlets are different with the ones in your question:
Please modify the scope as the following Technet said:
"Controlling which recipients a role assignee can manage is done using a recipient scope specified in the
CustomRecipientWriteScope parameter on the New-ManagementRoleAssignment or
Set-ManagementRoleAssignment cmdlet. Controlling which databases a mailbox can be created on or moved to is controlled using a database scope specified in the
CustomConfigurationWriteScope parameter on the same cmdlets."
Understanding Management Role Scopes
http://technet.microsoft.com/en-us/library/dd335146.aspxFrank Wang
TechNet Community Support
August 19th, 2012 11:09pm