Solved

RBAC in Exchange 2010

Posted on 2014-10-13
4
124 Views
Last Modified: 2014-10-22
Can anyone assist with the below EMS error I recieve trying to add a role assignment with an OU scope:

WARNING: The domain.com/Group Objects/Stellar management scope won't be applied to the management role assignment for the Stellar DistributionGroups Management management role because the implicit scope on this role, MyDistributionGroups, is smaller than the specified scope.

I'm using a custom role named StellarDistributionGroups Management with the following entries (parent is distribution groups):
Add-DistributionGroupMember
Get-DistributionGroup
Get-DistributionGroupMember
Get-Group
Get-Recipient
New-DistributionGroup
Remove-DistributionGroupMember
Set-DynamicDistributionGroup
Set-Group
Update-DistributionGroupMember
Set-DistributionGroup

I'm running the following cmdlets:
[PS] C:\>New-ManagementRoleAssignment -Name "Stellar DL Managers" -SecurityGroup "stellar Distribution Group Managers" -Role "Stellar DistributionGroups Management" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"
0
Comment
Question by:timgreen7077
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 13

Expert Comment

by:imkottees
ID: 40380935
Hi,

there is a conflict in scope which you are specifying. try setting the same scope as StellarDistributionGroups mgmt role.
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 500 total points
ID: 40381126
to be precise, MyDistributionGroups has implicitrecipientreadscope of mygal

Get-ManagementRole mydistrib* | ft identity,impl*

i wonder why myDstributionGroups some into play.

how do you create your management role?

the right way is to use
new-managementrole -parent "Distribution groups" -name "StellarDL"

then run to find out what command you have
get-managementrole "StellarDl" | get-managementroleentry

if you want to remove command you basically do
get-managementrole "StellarDl" | get-managementroleentry <command you want to remove> | remove-managementroleentry -confirm:$false


then you run the below command
New-ManagementRoleAssignment -Name "Stellar DL Managers" -SecurityGroup "stellar Distribution Group Managers" -Role "StellarDl" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"
p/s: you need to create the security group "Stellar distribution group managers" manually before run the command


OR

New-RoleGroup -Name <role group name> "Stellar DL Managers" -Roles <roles to assign> "StellarDl" -RecipientOrganizationalUnitScope "domain.com/Group Objects/SA"

p/s: remove the <comment> .. the above way will create the group in


please be very specific where you stuck so i can assist you further.
0
 

Author Comment

by:timgreen7077
ID: 40392091
I have been really busy last week. I will reattempt this today or tomorrow and update. Thanks.
0
 

Author Closing Comment

by:timgreen7077
ID: 40398283
Thanks that fixed my issue.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question