Exchange 2010: Can you scope permissions to more than one OU?


About a month ago I got the following mail:

Hi Ilse I know you had a RBAC Session at Teched. We tried to scope to multiple OU’s as described in this article without any success. http://technet.microsoft.com/en-us/library/dd638181(EXCHG.149).aspx RecipientOrganizationalUnitScope use the syntax: domain /OU 1/OU 2/OU N (where N is the designation of each of the specified OUs). Unfortunately we can’t find a real example. Have you ever tried this parameter with multiple OU’s Thanks in advance Fabian

Not sure why it wouldn’t work as stated in the TechNet Article, it was definitely an interesting question to check out.

Step 1. Setting the scene…

In  my demo environment I have a few Organizational Units, as can be seen in the print screen here:

IVC-0777

The goal would be to create a new group “Studio & Zaventem Admins”, and hand that group the right to manage the mail recipients in the Organizational Units Zaventem, and Studio:

IVC-0781

IVC-0782

Step 2. Follow the steps defined in the mentioned TechNet article

First try, create a new rolegroup, called Studio Admins, that will get the role of Mail Recipients, and will be able to manage a recipients located in the OU Studio, using the EMS line:

New-RoleGroup –Name “Studio Admins” –Roles “Mail Recipients” –RecipientOrganizationalUnitScope studio

And this one worked like a charm:

IVC-0779

So now time to follow what’s specified in the TechNet article:

image

And enter the following line using the wonderful EMS:

New-RoleGroup –Name “Studio Admins” –Roles “Mail Recipients” –RecipientOrganizationalUnitScope studio,zaventem

But unfortunately, no go…

IVC-0780

Using the Exchange Control Panel, no go either….

IVC-0795

IVC-0796

Question =

Does this mean it is impossible to scope a management role to more than one Organizational Unit?

Answer =

No Smile

Question =

How?

Answer =

Using nested OU’s…or using the power of RecipientFilters…(thank you Bharat Suneja for pointing this out)

Since I’m not using nested OU’s, I have to turn to RecipientFilters…

Step 3. Create a Custom Management Scope

Time to create a custom management scope, which includes the two Organizational Units, by using the RecipientRestrictionFilter.

Problem is that OrganizationalUnit is not in the list of filterable properties, all these properties are listed here:

http://technet.microsoft.com/en-us/library/bb738155(EXCHG.80).aspx

But, it is possible to use the DistinguishedName, which includes the Organization Unit:

image

So using the following RecipientRestrictionFilter will cover the two Organization Units in my environment:

New-ManagementScope –Name “Studio & Zaventem Admins” –RecipientRestrictionFilter { (DistinguishedName –Like “*,OU=Studio,DC=Lync,DC=local”) –OR (DistinguishedName –Like “*,OU=Zaventem,DC=Lync,DC=local”) }

IVC-0784

And then creating the new role group, using the previous New-RoleGroup cmdlet, and adding the paramter CustomRecipientWriteScope!

New-RoleGroup –Name “Studio & Zaventem Admins” –Roles “Mail Recipients” –CustomRecipientWriteScope “Studio & Zaventem Admins”

IVC-0785

IVC-0786

Step 4. Time to Test

Adding user Studio1 to the newly created Universal Security Group:

IVC-0787

Studio1is able to make changes to a mail recipient in OU Zaventem:

IVC-0790

and OU Studio:

IVC-0792

But not to a user in any other OU:

IVC-0791

 

IVC-0793

Mission accomplished… RBAC really is: You Decide Who can do What on Which Objects in Your Exchange Environment!

Ilse


Comments (4)

  1. Jnaranjo says:

    Is this available in all versions of Exchange 2010? I have SP1 installed and the filter creation failed. Does this require SP2?

  2. Cody says:

    This doesn't work in SP3 either.  I'm fairly certain they did away with this.  

  3. Stefan says:

    Please Update all Code Samples with working Charsets,i've spenidng an hour in working with your code sample "new-ManagementScope …" doesnt' work. Result = The dashes are not compatible with ps.

    Soulution = Copy Code into notepad and transcripe it.

    @Cody,@Jnaranjo: Hopefully this helps others

  4. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings.
    http://www.showboxforipad.org/showbox-apk/ Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    http://www.showboxforipad.org/
    http://movieboxappdownloads.com/moviebox-apk-android/
    http://movieboxappdownloads.com/download-moviebox-pc/
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    http://showboxforiphone.org/
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    http://ymaillogintips.com/
    Sign Up & Do registration for latest movies on Showbox application