Solved

RBAC in Exchange 2010

Posted on 2014-10-13
4
113 Views
Last Modified: 2014-10-22
Can anyone assist with the below EMS error I recieve trying to add a role assignment with an OU scope:

WARNING: The domain.com/Group Objects/Stellar management scope won't be applied to the management role assignment for the Stellar DistributionGroups Management management role because the implicit scope on this role, MyDistributionGroups, is smaller than the specified scope.

I'm using a custom role named StellarDistributionGroups Management with the following entries (parent is distribution groups):
Add-DistributionGroupMember
Get-DistributionGroup
Get-DistributionGroupMember
Get-Group
Get-Recipient
New-DistributionGroup
Remove-DistributionGroupMember
Set-DynamicDistributionGroup
Set-Group
Update-DistributionGroupMember
Set-DistributionGroup

I'm running the following cmdlets:
[PS] C:\>New-ManagementRoleAssignment -Name "Stellar DL Managers" -SecurityGroup "stellar Distribution Group Managers" -Role "Stellar DistributionGroups Management" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"
0
Comment
Question by:timgreen7077
  • 2
4 Comments
 
LVL 13

Expert Comment

by:imkottees
ID: 40380935
Hi,

there is a conflict in scope which you are specifying. try setting the same scope as StellarDistributionGroups mgmt role.
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 500 total points
ID: 40381126
to be precise, MyDistributionGroups has implicitrecipientreadscope of mygal

Get-ManagementRole mydistrib* | ft identity,impl*

i wonder why myDstributionGroups some into play.

how do you create your management role?

the right way is to use
new-managementrole -parent "Distribution groups" -name "StellarDL"

then run to find out what command you have
get-managementrole "StellarDl" | get-managementroleentry

if you want to remove command you basically do
get-managementrole "StellarDl" | get-managementroleentry <command you want to remove> | remove-managementroleentry -confirm:$false


then you run the below command
New-ManagementRoleAssignment -Name "Stellar DL Managers" -SecurityGroup "stellar Distribution Group Managers" -Role "StellarDl" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"
p/s: you need to create the security group "Stellar distribution group managers" manually before run the command


OR

New-RoleGroup -Name <role group name> "Stellar DL Managers" -Roles <roles to assign> "StellarDl" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"

p/s: remove the <comment> .. the above way will create the group in


please be very specific where you stuck so i can assist you further.
0
 

Author Comment

by:timgreen7077
ID: 40392091
I have been really busy last week. I will reattempt this today or tomorrow and update. Thanks.
0
 

Author Closing Comment

by:timgreen7077
ID: 40398283
Thanks that fixed my issue.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now