Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1462
  • Last Modified:

Applying Role Group permissions to OU

Within Exchange 2010 “RBAC” User editor, I have created a new role group and applied it to a OU (see attached). However, it doesn’t seem to be limiting the role access to just the OU users mailboxes. Its applying permissions to the entire Org. I want to assign the Role Group admins to have “mail recipient” access to all users’ mailboxes within an OU only. What am I doing wrong?
Role-Group.jpg
0
DEFclub
Asked:
DEFclub
  • 4
  • 2
1 Solution
 
George SasIT EngineerCommented:
After you create the group, add members etc and you save it, select the new group and look on the right tab.
What does the "Write scope: " say ?
Does it show the OU or "Default"
Make sure you type the OU name correctly.

You can also create the group from the management shell :
New-RoleGroup -Name <role group name> -Roles <roles to assign> -RecipientOrganizationalUnitScope <OU name>

You can check the properties of your role group by :
Get-RoleGroup "HBE EXCH ADMINS"
and

Get-ManagementRoleAssignment -RoleAssignee "HBE EXCH ADMINS" | fl

You can also set the roles using the New-ManagementRoleAssignment
You can check the whole Permissions Cmdlets here :
http://technet.microsoft.com/en-us/library/dd297953.aspx
0
 
DEFclubAuthor Commented:
Here is some output:
RunspaceId                   : 87eccb63-f759-4cea-b7c0-ac408db64646
User                         : wfinet.com/Microsoft Exchange Security Groups/HBE EXCH ADMINS
AssignmentMethod             : Direct
Identity                     : Mail Recipients-HBE EXCH ADMINS
EffectiveUserName            : All Group Members
AssignmentChain              :
RoleAssigneeType             : RoleGroup
RoleAssignee                 : wfinet.com/Microsoft Exchange Security Groups/HBE EXCH ADMINS
Role                         : Mail Recipients
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope    : kratos.us/HBE/Users
CustomConfigWriteScope       :
RecipientReadScope           : Organization
ConfigReadScope              : OrganizationConfig
RecipientWriteScope          : OU
ConfigWriteScope             : OrganizationConfig
Enabled                      : True
RoleAssigneeName             : HBE EXCH ADMINS

Im assuming the problem is that its set to only CustomeRecipientWriteScope and none of the other write scopes are set to Kratos.us\HBE\users. How do I set the other right scopes to the OU location?
0
 
DEFclubAuthor Commented:
I’ve run a mixture of commands as follows:
DO THISFIRST:   New-RoleGroup -Name "HBE Exchange Admins" -Roles "Mail Recipients" -RecipientOrganizationalUnitScope "Kratos.us/HBE/Users"

THEN SET ROLE ASSIGNMENT: Set-ManagementRoleAssignment "Mail Recipients-HBE Exchange Admins" -RecipientOrganizationalUnitScope "Kratos.us/HBE/Users"

Set-ManagementScope "HBE Exchange Admins" -RecipientRoot "Kratos.us/HBE/Users"

This all looks like it should work. It shows the Role Group has write access to the OU, but still the users have full access to the org. Any thoughts?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
DEFclubAuthor Commented:
recent config:


[PS] C:\Windows\system32>Get-ManagementRoleAssignment -RoleAssignee "HBE exchange admins" | fl


RunspaceId                   : 50720e97-e4d1-4eff-b156-f697c805bdc1
User                         : wfinet.com/Microsoft Exchange Security Groups/HBE Exchange Admins
AssignmentMethod             : Direct
Identity                     : Mail Recipients-HBE Exchange Admins
EffectiveUserName            : All Group Members
AssignmentChain              :
RoleAssigneeType             : RoleGroup
RoleAssignee                 : wfinet.com/Microsoft Exchange Security Groups/HBE Exchange Admins
Role                         : Mail Recipients
RoleAssignmentDelegationType : Regular
CustomRecipientWriteScope    : kratos.us/HBE/Users
CustomConfigWriteScope       :
RecipientReadScope           : Organization
ConfigReadScope              : OrganizationConfig
RecipientWriteScope          : OU
ConfigWriteScope             : OrganizationConfig
Enabled                      : True
RoleAssigneeName             : HBE Exchange Admins
IsValid                      : True
ExchangeVersion              : 0.11 (14.0.550.0)
Name                         : Mail Recipients-HBE Exchange Admins
DistinguishedName            : CN=Mail Recipients-HBE Exchange Admins,CN=Role Assignments,CN=RBAC,CN=WFI,CN=Mi
Guid                         : 1beac55d-2868-47f7-b0bb-51e2143defea
ObjectCategory               : wfinet.com/Configuration/Schema/ms-Exch-Role-Assignment
ObjectClass                  : {top, msExchRoleAssignment}
0
 
George SasIT EngineerCommented:
As far as I can see they only have access to the OU you specified:

CustomRecipientWriteScope    : kratos.us/HBE/Users
0
 
DEFclubAuthor Commented:
yes I figured it out... thxs
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now