I have an Exchange 2010 SP1 forest with 4 AD sites. Each site is located in a different part of the world with the main headquarters here in America. Each site has a DC/GC and a single box with CAS/Hub/Mbx role and services the local users in that site. I want to separate Exchange administrative dutes for each site so that the Exchange administrators located in that site can only fully administer that site and no others. How could I do that? Doug Swanek

RBAC will allow you to control what the users can and cannot manage. You will need to configure custom scopes for both users and servers. This is the top of the tree for the RBAC section. http://technet.microsoft.com/en-us/library/dd298183.aspx Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi Doug, Simon is right, you can use RBAC to achieve the goal. Some related documents for you: Managing Administrator and Specialist Users http://technet.microsoft.com/en-us/library/dd335101.aspx Create a Role Group http://technet.microsoft.com/en-us/library/dd638209.aspx Add a Role to a Role Group http://technet.microsoft.com/en-us/library/dd638202.aspx Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for verifying this is possible. I assumed that RBAC was the answer, but not sure. So the key then would be to use a built-in Role group, such as the Organization Admins, then add the required users for each site and assign custom scopes for each site? Or would I create a custom Management Role for each site, add the respective Exchange admins for each site and assign each custom Management role a custom scope. This confuses me just a bit because of the Organization Admins role having the ability to control the entire forest's Exchange enviornment. Every example I've seen doesn't apply an org. Admin role to specific sites, it's always referring to this role as an all-encompasing, entire forest priviledge. If you have all required Exchange admins in the Org. Admins built-in group, can you then assign custom scopes or would you need to separate each site with custom Management roles within the org. admin group then apply custom scopes? Forgive me for not quite understanding this process. Would the below example work? Built-in Organization Admins Group Custom Management Role 1: Site A add required users, create custom scope to restrict all administration except for Site A Custom Management Role 2: Site B " " Custom Management Role 3: Site C " " Custom Management Role 4: Site D " "Doug Swanek

Thanks Evan, I've read the above articles several times, however, my brain is melting. My confusion with RBAC lies on the use of the Org. Admins group vs. Creating a custom Management Role. Does a Management Role need to be placed in a Group? If so, wouldn't the entire group inherit all permissions regardless of the individual scopes? If a custom Management Role doesn't require the need to be assigned a management group, then assigning invidual management scopes for each individual management role seems to make sense. Could you please clarify. Doug Swanek

Another question. If Exchange Administration is localized to individual sites only, does this, would this go against Microsoft's best practices for organization administration? Does this present an unnecessary amount of administrative overhead when attempting to identify cross-site issues? Doug Swanek

Hi dswanek, I would first create the Management Scopes for each site, this will let the admins manage all server in the specified Active Directory site. New-ManagementScope -Name "Server_Management-Site1_Scope" -ServerRestrictionFilter {ServerSite -eq "CN=Site1,CN=Sites,CN=Configuration,DC=contoso,DC=com"} New-ManagementScope -Name "Server_Management-Site2_Scope" -ServerRestrictionFilter {ServerSite -eq "CN=Site2,CN=Sites,CN=Configuration,DC=contoso,DC=com"} New-ManagementScope -Name "Server_Management-Site3_Scope" -ServerRestrictionFilter {ServerSite -eq "CN=Site3,CN=Sites,CN=Configuration,DC=contoso,DC=com"} New-ManagementScope -Name "Server_Management-Site4_Scope" -ServerRestrictionFilter {ServerSite -eq "CN=Site4,CN=Sites,CN=Configuration,DC=contoso,DC=com"} http://technet.microsoft.com/en-us/library/dd335137.aspx Second, create new Role Group for each site and add ManagementRoles, for this example I added all ManagmentRoles from the default “Server Management” RoleGroup. New-RoleGroup "Server_Management-Site1_RoleGroup" -Roles "Database Copies","Databases","Exchange Connectors","Exchange Server Certificates","Exchange Servers","Exchange Virtual Directories","Monitoring","POP3 And IMAP4 Protocols","Receive Connectors","Transport Queues" –Members "admin1" –ManagedBy "your_admin_account" -CustomConfigWriteScope "Server_Management-Site1_Scope" New-RoleGroup "Server_Management-Site2_RoleGroup" -Roles "Database Copies","Databases","Exchange Connectors","Exchange Server Certificates","Exchange Servers","Exchange Virtual Directories","Monitoring","POP3 And IMAP4 Protocols","Receive Connectors","Transport Queues" –Members "admin2" –ManagedBy "your_admin_account" -CustomConfigWriteScope "Server_Management-Site2_Scope" New-RoleGroup "Server_Management-Site3_RoleGroup" -Roles "Database Copies","Databases","Exchange Connectors","Exchange Server Certificates","Exchange Servers","Exchange Virtual Directories","Monitoring","POP3 And IMAP4 Protocols","Receive Connectors","Transport Queues" –Members "admin3" –ManagedBy "your_admin_account" -CustomConfigWriteScope "Server_Management-Site3_Scope" New-RoleGroup "Server_Management-Site4_RoleGroup" -Roles "Database Copies","Databases","Exchange Connectors","Exchange Server Certificates","Exchange Servers","Exchange Virtual Directories","Monitoring","POP3 And IMAP4 Protocols","Receive Connectors","Transport Queues" –Members "admin4" –ManagedBy "your_admin_account" -CustomConfigWriteScope "Server_Management-Site4_Scope" http://technet.microsoft.com/en-us/library/dd638181.aspx You also need to create a Role Group for Recipients, but it’s easy done from the ECP in OWA. Don’t forget to change the write scope to a OU where you want the admins to manage the users in the a Recipients Role Group. Do not add the admins to “Organization Management” Role Group, this will give them full permissions to all Exchange server in the Organization. Adam Bokiniec

Thank you Adam. I appreciate your expertise in this area. This is a HUGE HELP, thanks again.Doug Swanek