Hi, I'm trying to restrict my help desk user to only be able to view/edit mailboxes in a certain OU, when accessing the EMC or ECP. I have created a new role group, scope, role assignment and added the user. When the user logs in via ECP they can view all the mailboxes (they can only amend mailboxes specified in my scope, so that bits working). I need to restrict the user to only see mailboxes he has permissions to edit. The commands I used were as follows: New-RoleGroup "Help Desk" -RecipientOrganizationalUnitScope "MyDomain.local/MyOrgUnit" -Roles "Mail Recipients" Set-ManagementRoleAssignment "Mail Recipients-Help Desk" -RecipientOrganizationalUnitScope "MyDomain.local/MyOrgUnit" New-ManagementScope -Name "Help Desk Scope" -RecipientRoot "MyDomain.local/MyOrgUnit" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox “} Set-ManagementRoleAssignment "Mail Recipients-Help Desk" -CustomRecipientWriteScope "Help Desk Scope" I then added the user to the role group using the ECP. Any suggestions into what i'm doing wrong? Many Thanks

Could you please try this command New-ManagementScope -Name "Help Desk Scope" -RecipientRoot "MyDomain.local/MyOrgUnit" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox “} 1) $rg = get-rolegroup "Recipient management" 2) New-RoleGroup "Help Desk" -RecipientOrganizationalUnitScope "MyDomain.local/MyOrgUnit" -Roles $rg.roles -CustomRecipientWriteScope "Help Desk Scope" 3) add-rolegroupmember "Help Desk" -member "admin user"Thanks Joseph Pradeep

Thanks for the reply but when I run the New-RoleGroup command I get the following error: The arguments 'CustomRecipientWriteScope' and 'RecipientOrganizationalUnitScope' are mtually exclusive. Use one or the other.

2) New-RoleGroup "Help Desk" -RecipientOrganizationalUnitScope "MyDomain.local/MyOrgUnit" -Roles $rg.roles -CustomConfigWriteScope "Help Desk Scope"Thanks Joseph Pradeep

Hi Per my know, The RecipientOrganizationalUnitScope parameter specifies the organizational unit (OU) scope added to the role assignments created when the role group is created. If you use the RecipientOrganizationalUnitScope parameter, you can't use the CustomRecipientWriteScope parameter. To specify an OU, use the syntax: domain/ou. So, please chose one of them. Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click“Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

Thanks for the replys, using either command makes no difference - the help desk user can view all mailboxes. The permissons side of things is working, they can only amend details for users in the specified OU but I need to be able to hide all the other mailboxes from view.

Hi RobDPS, If you want to use the RBAC to achieve the target that not allowing the helpdesk to view the other mailboxes, per my know, it is impossible. Regards! Gavin TechNet Subscriber Support in forum If you have any feedback on our support, please contacttngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click“Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread