Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

RBAC in Exchange 2010

Posted on 2014-10-13
4
Medium Priority
?
127 Views
Last Modified: 2014-10-22
Can anyone assist with the below EMS error I recieve trying to add a role assignment with an OU scope:

WARNING: The domain.com/Group Objects/Stellar management scope won't be applied to the management role assignment for the Stellar DistributionGroups Management management role because the implicit scope on this role, MyDistributionGroups, is smaller than the specified scope.

I'm using a custom role named StellarDistributionGroups Management with the following entries (parent is distribution groups):
Add-DistributionGroupMember
Get-DistributionGroup
Get-DistributionGroupMember
Get-Group
Get-Recipient
New-DistributionGroup
Remove-DistributionGroupMember
Set-DynamicDistributionGroup
Set-Group
Update-DistributionGroupMember
Set-DistributionGroup

I'm running the following cmdlets:
[PS] C:\>New-ManagementRoleAssignment -Name "Stellar DL Managers" -SecurityGroup "stellar Distribution Group Managers" -Role "Stellar DistributionGroups Management" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"
0
Comment
Question by:timgreen7077
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 13

Expert Comment

by:imkottees
ID: 40380935
Hi,

there is a conflict in scope which you are specifying. try setting the same scope as StellarDistributionGroups mgmt role.
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 2000 total points
ID: 40381126
to be precise, MyDistributionGroups has implicitrecipientreadscope of mygal

Get-ManagementRole mydistrib* | ft identity,impl*

i wonder why myDstributionGroups some into play.

how do you create your management role?

the right way is to use
new-managementrole -parent "Distribution groups" -name "StellarDL"

then run to find out what command you have
get-managementrole "StellarDl" | get-managementroleentry

if you want to remove command you basically do
get-managementrole "StellarDl" | get-managementroleentry <command you want to remove> | remove-managementroleentry -confirm:$false


then you run the below command
New-ManagementRoleAssignment -Name "Stellar DL Managers" -SecurityGroup "stellar Distribution Group Managers" -Role "StellarDl" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"
p/s: you need to create the security group "Stellar distribution group managers" manually before run the command


OR

New-RoleGroup -Name <role group name> "Stellar DL Managers" -Roles <roles to assign> "StellarDl" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"

p/s: remove the <comment> .. the above way will create the group in


please be very specific where you stuck so i can assist you further.
0
 

Author Comment

by:timgreen7077
ID: 40392091
I have been really busy last week. I will reattempt this today or tomorrow and update. Thanks.
0
 

Author Closing Comment

by:timgreen7077
ID: 40398283
Thanks that fixed my issue.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
how to add IIS SMTP to handle application/Scanner relays into office 365.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question