Scoping RBAC Role Group To Multiple Organizational UNITS

Configuring RBAC roles and role groups require a good understanding of how the Role Based Access Control works. Anyone who has created custom RBAC role groups know that it is easy to scope the permissions to a particular OU. But, what if you want one of the role group to have permissions across a number of OUs? Let’s find out.

In order to scope a role group to a single OU, run the following command.

New-RoleGroup -Name “Role Group Name” -Roles “Mail Enabled Public Folders”, “Move Mailboxes”, “Public Folders”, “Security Group Creation and Membership” -RecipientOrganizationalUnitScope “chakka.local/Sales”

The above command gives the role group the permissions (via roles mentioned) and is only scoped to the Sales OU. Simple, huh? I won’t be going into creating custom roles and role assignments in this article.

Now, what if I want the same role group to be scoped across a number of OUs, say Sales, IT, Marketing for example? We can’t specify all the required OUs with a comma in the above command. For this to work, we need to create a custom management scope and then use the scope in the CustomRecipientWriteScope paramater of the New-RoleGroup cmdlet.

In order to create a management scope for a few OUs, run the following command.

New-ManagementScope -Name “Scope Name” -RecipientRestrictionFilter { (DistinguishedName -Like “*,ou=sales,dc=chakka,dc=local”) -or (Distinguishedname -Like “*,ou=it,dc=chakka,dc=local”) -or (DistinguishedName -Like “*,ou=marketing,dc=chakka,dc=local”) }

Create custom management scope

Once the custom scope is created, we can create the role group using the command below.

New-RoleGroup -Name “Role Group Name” -Roles “Mail Enabled Public Folders”, “Move Mailboxes”, “Public Folders”, “Security Group Creation and Membership” -CustomRecipientWriteScope “Scope Name”

New role group with custom scope

Job done Winking smile

Rajith

Rajith Enchiparambil

Cloud Architect & Blogger with interests in Microsoft 365, AWS & Azure. I am active on Experts Exchange & TechNet forums and I am a technical author for SearchExchange. Follow me on Twitter, LinkedIn or Facebook for the latest updates. For consultancy opportunities, drop me a line.

12 thoughts on “Scoping RBAC Role Group To Multiple Organizational UNITS”

  1. I’ve tested this with SP1 and SP2 but using DistinguishedName with like doesn’t appear to actually work. It only appears to work with exact matches as described in the recipient filter document from Microsoft:
    http://technet.microsoft.com/library/bb738155(EXCHG.80).aspx

    Property: DistinguishedName
    Description: This property contains the DN of the recipients for which you are filtering.
    Value: DN
    Cmdlets that accept this Property:
    Get-CASMailbox
    Get-Contact
    Get-DistributionGroup
    Get-DynamicDistributionGroup
    Get-Group
    Get-Mailbox
    Get-MailContact
    Get-MailPublicFolder
    Get-MailUser
    Get-Recipient
    Get-UMMailbox
    Get-User

    http://technet.microsoft.com/en-us/library/bb124268.aspx
    When creating your own custom filters, be aware of the following:-like (string comparison)

    You can test this out by using the Get-Recipient cmdlet and using the -Filter parameter.

    Reply
    • Hi Andrew,

      I ran the mentioned commands successfully. Can you paste the command and error you are getting?

      Reply
  2. Hi Rajith,
    Thank you for the reply. The command that I am using is :

    Get-Recipient -Filter “DistinguishedName -like ‘*,OU=IT,DC=TestDomanin,DC=net'”

    There is no error, it simply doesn’t return any recipients (there are several hundreds of mailboxes in this OU)

    If I change the filter to an exact DN (without the wildcard character) it of course returns the single user.

    I’ve also tested this out by assigning a recipient scope (with the above filter) and assigned it to a test account. I then try using the test account to update a mailbox in the OU with Set-Mailbox Andrew-Test -CustomAttribute1 “Test” -ea stop

    I get the following error:
    The operation on mailbox “TestDomanin.net/IT/Andrew-Test” failed because it’s out of the current user’s write scope. ‘TestDomain.net/IT/Andrew-Test’ isn’t within your current write scopes. Can’t perform save operation.
    + CategoryInfo : InvalidOperation: (ctq.chevrontexa…ins00/!arxk-ctq:ADObjectId) [Set-Mailbox], InvalidO perationException
    + FullyQualifiedErrorId : 89524105,Microsoft.Exchange.Management.RecipientTasks.SetMailbox

    I hope I’m doing something stupid and that is why it isn’t working for me. This type of solution should be available in Exchange 2010 or the possibility of multiple RecipientRoots.

    Reply
  3. I have also tried using wild cards with distinguished names and accordingly it fails every time. I’ve done some research and when creating Distinguished Name filters, wildcards are not supported as evidenced in the following links:
    http://msdn.microsoft.com/en-us/library/windows/desktop/ms684431%28v=vs.85%29.aspx
    and there is a statement at the following site:http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm

    “Regarding match algorithms of LDAP filters, LDAP directory systems comply with the specifications of the original X.500 standards. According to these matching rules you can’t use wildcards in LDAP filters for attributes containing LDAP distinguished names (attributes with DN-string syntax / ADSI attribute data type ADSTYPE_DN_STRING = 1). The same applies for ADS: Filters in which DN attributes are searched with wildcards do not work.

    This can be quite irritating. You can’t e.g. search for all users that are members in groups that contain a certain string in their group names. The reason for this is that the user attribute memberOf has the data type DN-string.

    Even more important could be the search for objects in a specific OU. Especially, when only the declaration of a pure filter string is allowed and when there is no possibility to specify the search base of an LDAP search. This might well be so e.g. for the definition of recipient policies in Microsoft Exchange environments. Thus, the following filter won’t work!

    (distinguishedName=*,ou=Sydney,dc=cerrotorre,dc=org)

    In this case we have to use a script-based solution which provides a workaround for this LDAP filter limitation.”

    So wildcards are not supported when using distinguished names.

    Reply
  4. This is what it kicks back in Exchange 2010 SP3 when trying to make a scope with multiple OUs:

    “Invalid filter syntax. For a description of the filter parameter syntax see the command help.”

    “parameter RecipientRestrictionFilter must have valid format and refer to valid Recipient properties.
    Parameter name: RecipientRestrictionFilter
    + CategoryInfo : InvalidArgument: (:) [New-ManagementScope], ArgumentException
    + FullyQualifiedErrorId : 712F2B43,Microsoft.Exchange.Management.Tasks.NewManagementScope”

    Reply
  5. At the beginning, I got the same error as well when I cut & paste the command.

    The weird thing was it worked when I hand typed everything. I guess there might be some characters it didn’t like.

    I’m on Exchanage 2010 SP1.

    Reply
  6. Just change the quotes around the paths to single quotes

    New-ManagementScope -Name “Scope Name” -RecipientRestrictionFilter { (DistinguishedName -Like ‘*,ou=sales,dc=chakka,dc=local’) -or (Distinguishedname -Like ‘*,ou=it,dc=chakka,dc=local’) -or (DistinguishedName -Like ‘*,ou=marketing,dc=chakka,dc=local’) }

    Reply
  7. Rajith,

    Hi. I am having issue trying to setup a management scope the looks at a security group. Do you if this can be done? this is the command that i am running.

    New-ManagementScope -Name “test” -RecipientRestrictionFilter {MemberOfGroup -eq “CN=test1,CN=test2,DC=internal,DC=test,DC=com}

    I have read that this can be done and the command runs, but it doesn’t seem to work?
    What i am trying to do is get a account exchange impersonation rights to users in a secuirty group.
    Thanks

    Reply

Leave a Comment