Scoping RBAC Role Group To Multiple Organizational UNITS

Configuring RBAC roles and role groups require a good understanding of how the Role Based Access Control works. Anyone who has created custom RBAC role groups know that it is easy to scope the permissions to a particular OU. But, what if you want one of the role group to have permissions across a number of OUs? Let’s find out.

In order to scope a role group to a single OU, run the following command.

New-RoleGroup -Name “Role Group Name” -Roles “Mail Enabled Public Folders”, “Move Mailboxes”, “Public Folders”, “Security Group Creation and Membership” -RecipientOrganizationalUnitScope “chakka.local/Sales”

The above command gives the role group the permissions (via roles mentioned) and is only scoped to the Sales OU. Simple, huh? I won’t be going into creating custom roles and role assignments in this article.

Now, what if I want the same role group to be scoped across a number of OUs, say Sales, IT, Marketing for example? We can’t specify all the required OUs with a comma in the above command. For this to work, we need to create a custom management scope and then use the scope in the CustomRecipientWriteScope paramater of the New-RoleGroup cmdlet.

In order to create a management scope for a few OUs, run the following command.

New-ManagementScope -Name “Scope Name” -RecipientRestrictionFilter { (DistinguishedName -Like “*,ou=sales,dc=chakka,dc=local”) -or (Distinguishedname -Like “*,ou=it,dc=chakka,dc=local”) -or (DistinguishedName -Like “*,ou=marketing,dc=chakka,dc=local”) }

Create custom management scope

Once the custom scope is created, we can create the role group using the command below.

New-RoleGroup -Name “Role Group Name” -Roles “Mail Enabled Public Folders”, “Move Mailboxes”, “Public Folders”, “Security Group Creation and Membership” -CustomRecipientWriteScope “Scope Name”

New role group with custom scope

Job done Winking smile

12 thoughts on “Scoping RBAC Role Group To Multiple Organizational UNITS”

  1. Rajith,

    Hi. I am having issue trying to setup a management scope the looks at a security group. Do you if this can be done? this is the command that i am running.

    New-ManagementScope -Name “test” -RecipientRestrictionFilter {MemberOfGroup -eq “CN=test1,CN=test2,DC=internal,DC=test,DC=com}

    I have read that this can be done and the command runs, but it doesn’t seem to work?
    What i am trying to do is get a account exchange impersonation rights to users in a secuirty group.

  2. Just change the quotes around the paths to single quotes

    New-ManagementScope -Name “Scope Name” -RecipientRestrictionFilter { (DistinguishedName -Like ‘*,ou=sales,dc=chakka,dc=local’) -or (Distinguishedname -Like ‘*,ou=it,dc=chakka,dc=local’) -or (DistinguishedName -Like ‘*,ou=marketing,dc=chakka,dc=local’) }

  3. At the beginning, I got the same error as well when I cut & paste the command.

    The weird thing was it worked when I hand typed everything. I guess there might be some characters it didn’t like.

    I’m on Exchanage 2010 SP1.

      • I have tried to apply the filter as suggested but it was failing then I retyped and I could able to create the scope but it does not work and gives the error invalid scope . What could be the reason ?

  4. This is what it kicks back in Exchange 2010 SP3 when trying to make a scope with multiple OUs:

    “Invalid filter syntax. For a description of the filter parameter syntax see the command help.”

    “parameter RecipientRestrictionFilter must have valid format and refer to valid Recipient properties.
    Parameter name: RecipientRestrictionFilter
    + CategoryInfo : InvalidArgument: (:) [New-ManagementScope], ArgumentException
    + FullyQualifiedErrorId : 712F2B43,Microsoft.Exchange.Management.Tasks.NewManagementScope”

  5. I have also tried using wild cards with distinguished names and accordingly it fails every time. I’ve done some research and when creating Distinguished Name filters, wildcards are not supported as evidenced in the following links:
    and there is a statement at the following site:

    “Regarding match algorithms of LDAP filters, LDAP directory systems comply with the specifications of the original X.500 standards. According to these matching rules you can’t use wildcards in LDAP filters for attributes containing LDAP distinguished names (attributes with DN-string syntax / ADSI attribute data type ADSTYPE_DN_STRING = 1). The same applies for ADS: Filters in which DN attributes are searched with wildcards do not work.

    This can be quite irritating. You can’t e.g. search for all users that are members in groups that contain a certain string in their group names. The reason for this is that the user attribute memberOf has the data type DN-string.

    Even more important could be the search for objects in a specific OU. Especially, when only the declaration of a pure filter string is allowed and when there is no possibility to specify the search base of an LDAP search. This might well be so e.g. for the definition of recipient policies in Microsoft Exchange environments. Thus, the following filter won’t work!


    In this case we have to use a script-based solution which provides a workaround for this LDAP filter limitation.”

    So wildcards are not supported when using distinguished names.

  6. Hi Rajith,
    Thank you for the reply. The command that I am using is :

    Get-Recipient -Filter “DistinguishedName -like ‘*,OU=IT,DC=TestDomanin,DC=net'”

    There is no error, it simply doesn’t return any recipients (there are several hundreds of mailboxes in this OU)

    If I change the filter to an exact DN (without the wildcard character) it of course returns the single user.

    I’ve also tested this out by assigning a recipient scope (with the above filter) and assigned it to a test account. I then try using the test account to update a mailbox in the OU with Set-Mailbox Andrew-Test -CustomAttribute1 “Test” -ea stop

    I get the following error:
    The operation on mailbox “” failed because it’s out of the current user’s write scope. ‘’ isn’t within your current write scopes. Can’t perform save operation.
    + CategoryInfo : InvalidOperation: (ctq.chevrontexa…ins00/!arxk-ctq:ADObjectId) [Set-Mailbox], InvalidO perationException
    + FullyQualifiedErrorId : 89524105,Microsoft.Exchange.Management.RecipientTasks.SetMailbox

    I hope I’m doing something stupid and that is why it isn’t working for me. This type of solution should be available in Exchange 2010 or the possibility of multiple RecipientRoots.

  7. I’ve tested this with SP1 and SP2 but using DistinguishedName with like doesn’t appear to actually work. It only appears to work with exact matches as described in the recipient filter document from Microsoft:

    Property: DistinguishedName
    Description: This property contains the DN of the recipients for which you are filtering.
    Value: DN
    Cmdlets that accept this Property:
    When creating your own custom filters, be aware of the following:-like (string comparison)

    You can test this out by using the Get-Recipient cmdlet and using the -Filter parameter.

    • Hi Andrew,

      I ran the mentioned commands successfully. Can you paste the command and error you are getting?


Leave a Comment