DEFclub
asked on
Applying Role Group permissions to OU
Within Exchange 2010 “RBAC” User editor, I have created a new role group and applied it to a OU (see attached). However, it doesn’t seem to be limiting the role access to just the OU users mailboxes. Its applying permissions to the entire Org. I want to assign the Role Group admins to have “mail recipient” access to all users’ mailboxes within an OU only. What am I doing wrong?
Role-Group.jpg
Role-Group.jpg
ASKER
Here is some output:
RunspaceId : 87eccb63-f759-4cea-b7c0-ac 408db64646
User : wfinet.com/Microsoft Exchange Security Groups/HBE EXCH ADMINS
AssignmentMethod : Direct
Identity : Mail Recipients-HBE EXCH ADMINS
EffectiveUserName : All Group Members
AssignmentChain :
RoleAssigneeType : RoleGroup
RoleAssignee : wfinet.com/Microsoft Exchange Security Groups/HBE EXCH ADMINS
Role : Mail Recipients
RoleAssignmentDelegationTy pe : Regular
CustomRecipientWriteScope : kratos.us/HBE/Users
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope : OU
ConfigWriteScope : OrganizationConfig
Enabled : True
RoleAssigneeName : HBE EXCH ADMINS
Im assuming the problem is that its set to only CustomeRecipientWriteScope and none of the other write scopes are set to Kratos.us\HBE\users. How do I set the other right scopes to the OU location?
RunspaceId : 87eccb63-f759-4cea-b7c0-ac
User : wfinet.com/Microsoft Exchange Security Groups/HBE EXCH ADMINS
AssignmentMethod : Direct
Identity : Mail Recipients-HBE EXCH ADMINS
EffectiveUserName : All Group Members
AssignmentChain :
RoleAssigneeType : RoleGroup
RoleAssignee : wfinet.com/Microsoft Exchange Security Groups/HBE EXCH ADMINS
Role : Mail Recipients
RoleAssignmentDelegationTy
CustomRecipientWriteScope : kratos.us/HBE/Users
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope : OU
ConfigWriteScope : OrganizationConfig
Enabled : True
RoleAssigneeName : HBE EXCH ADMINS
Im assuming the problem is that its set to only CustomeRecipientWriteScope
ASKER
I’ve run a mixture of commands as follows:
DO THISFIRST: New-RoleGroup -Name "HBE Exchange Admins" -Roles "Mail Recipients" -RecipientOrganizationalUn itScope "Kratos.us/HBE/Users"
THEN SET ROLE ASSIGNMENT: Set-ManagementRoleAssignme nt "Mail Recipients-HBE Exchange Admins" -RecipientOrganizationalUn itScope "Kratos.us/HBE/Users"
Set-ManagementScope "HBE Exchange Admins" -RecipientRoot "Kratos.us/HBE/Users"
This all looks like it should work. It shows the Role Group has write access to the OU, but still the users have full access to the org. Any thoughts?
DO THISFIRST: New-RoleGroup -Name "HBE Exchange Admins" -Roles "Mail Recipients" -RecipientOrganizationalUn
THEN SET ROLE ASSIGNMENT: Set-ManagementRoleAssignme
Set-ManagementScope "HBE Exchange Admins" -RecipientRoot "Kratos.us/HBE/Users"
This all looks like it should work. It shows the Role Group has write access to the OU, but still the users have full access to the org. Any thoughts?
ASKER
recent config:
[PS] C:\Windows\system32>Get-Ma nagementRo leAssignme nt -RoleAssignee "HBE exchange admins" | fl
RunspaceId : 50720e97-e4d1-4eff-b156-f6 97c805bdc1
User : wfinet.com/Microsoft Exchange Security Groups/HBE Exchange Admins
AssignmentMethod : Direct
Identity : Mail Recipients-HBE Exchange Admins
EffectiveUserName : All Group Members
AssignmentChain :
RoleAssigneeType : RoleGroup
RoleAssignee : wfinet.com/Microsoft Exchange Security Groups/HBE Exchange Admins
Role : Mail Recipients
RoleAssignmentDelegationTy pe : Regular
CustomRecipientWriteScope : kratos.us/HBE/Users
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope : OU
ConfigWriteScope : OrganizationConfig
Enabled : True
RoleAssigneeName : HBE Exchange Admins
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : Mail Recipients-HBE Exchange Admins
DistinguishedName : CN=Mail Recipients-HBE Exchange Admins,CN=Role Assignments,CN=RBAC,CN=WFI ,CN=Mi
Guid : 1beac55d-2868-47f7-b0bb-51 e2143defea
ObjectCategory : wfinet.com/Configuration/S chema/ms-E xch-Role-A ssignment
ObjectClass : {top, msExchRoleAssignment}
[PS] C:\Windows\system32>Get-Ma
RunspaceId : 50720e97-e4d1-4eff-b156-f6
User : wfinet.com/Microsoft Exchange Security Groups/HBE Exchange Admins
AssignmentMethod : Direct
Identity : Mail Recipients-HBE Exchange Admins
EffectiveUserName : All Group Members
AssignmentChain :
RoleAssigneeType : RoleGroup
RoleAssignee : wfinet.com/Microsoft Exchange Security Groups/HBE Exchange Admins
Role : Mail Recipients
RoleAssignmentDelegationTy
CustomRecipientWriteScope : kratos.us/HBE/Users
CustomConfigWriteScope :
RecipientReadScope : Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope : OU
ConfigWriteScope : OrganizationConfig
Enabled : True
RoleAssigneeName : HBE Exchange Admins
IsValid : True
ExchangeVersion : 0.11 (14.0.550.0)
Name : Mail Recipients-HBE Exchange Admins
DistinguishedName : CN=Mail Recipients-HBE Exchange Admins,CN=Role Assignments,CN=RBAC,CN=WFI
Guid : 1beac55d-2868-47f7-b0bb-51
ObjectCategory : wfinet.com/Configuration/S
ObjectClass : {top, msExchRoleAssignment}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes I figured it out... thxs
What does the "Write scope: " say ?
Does it show the OU or "Default"
Make sure you type the OU name correctly.
You can also create the group from the management shell :
New-RoleGroup -Name <role group name> -Roles <roles to assign> -RecipientOrganizationalUn
You can check the properties of your role group by :
Get-RoleGroup "HBE EXCH ADMINS"
and
Get-ManagementRoleAssignme
You can also set the roles using the New-ManagementRoleAssignme
You can check the whole Permissions Cmdlets here :
http://technet.microsoft.com/en-us/library/dd297953.aspx