Solved

RBAC in Exchange 2010

Posted on 2014-10-13
4
117 Views
Last Modified: 2014-10-22
Can anyone assist with the below EMS error I recieve trying to add a role assignment with an OU scope:

WARNING: The domain.com/Group Objects/Stellar management scope won't be applied to the management role assignment for the Stellar DistributionGroups Management management role because the implicit scope on this role, MyDistributionGroups, is smaller than the specified scope.

I'm using a custom role named StellarDistributionGroups Management with the following entries (parent is distribution groups):
Add-DistributionGroupMember
Get-DistributionGroup
Get-DistributionGroupMember
Get-Group
Get-Recipient
New-DistributionGroup
Remove-DistributionGroupMember
Set-DynamicDistributionGroup
Set-Group
Update-DistributionGroupMember
Set-DistributionGroup

I'm running the following cmdlets:
[PS] C:\>New-ManagementRoleAssignment -Name "Stellar DL Managers" -SecurityGroup "stellar Distribution Group Managers" -Role "Stellar DistributionGroups Management" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"
0
Comment
Question by:timgreen7077
  • 2
4 Comments
 
LVL 13

Expert Comment

by:imkottees
ID: 40380935
Hi,

there is a conflict in scope which you are specifying. try setting the same scope as StellarDistributionGroups mgmt role.
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 500 total points
ID: 40381126
to be precise, MyDistributionGroups has implicitrecipientreadscope of mygal

Get-ManagementRole mydistrib* | ft identity,impl*

i wonder why myDstributionGroups some into play.

how do you create your management role?

the right way is to use
new-managementrole -parent "Distribution groups" -name "StellarDL"

then run to find out what command you have
get-managementrole "StellarDl" | get-managementroleentry

if you want to remove command you basically do
get-managementrole "StellarDl" | get-managementroleentry <command you want to remove> | remove-managementroleentry -confirm:$false


then you run the below command
New-ManagementRoleAssignment -Name "Stellar DL Managers" -SecurityGroup "stellar Distribution Group Managers" -Role "StellarDl" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"
p/s: you need to create the security group "Stellar distribution group managers" manually before run the command


OR

New-RoleGroup -Name <role group name> "Stellar DL Managers" -Roles <roles to assign> "StellarDl" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"

p/s: remove the <comment> .. the above way will create the group in


please be very specific where you stuck so i can assist you further.
0
 

Author Comment

by:timgreen7077
ID: 40392091
I have been really busy last week. I will reattempt this today or tomorrow and update. Thanks.
0
 

Author Closing Comment

by:timgreen7077
ID: 40398283
Thanks that fixed my issue.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question