Issues with Database Scopes not applying when using EMCEAC.


So I recently discovered an issue when attempting to apply database scopes within Exchange 2010/2013/2016 when not using the Exchange Management Shell.  It happens every time you attempt to apply a database scope to a Role Assignment in the User interface of Exchange.  We’re currently investigating this behavior in Exchange versions 2013 and 2016, but unfortunately since Exchange 2010 is Extended Support admins will have to use the workaround which is using the Exchange Management Shell to apply database scopes.

Now, when using the Exchange Management Shell or EMS to create, modify, or manage things in RBAC there are only a few commands you need to know.

New-rolegroup – https://technet.microsoft.com/en-us/library/dd638181(v=exchg.160).aspx

New-ManagementScope – https://technet.microsoft.com/en-us/library/dd335137(v=exchg.160).aspx

New-ManagementRoleAssignment – https://technet.microsoft.com/en-us/library/dd335193(v=exchg.160).aspx

So in our particular scenario these are the commands we had to use to create and set the database scope to our role group.

New-RoleGroup databaseRoleGroup -Members User1     

New-ManagementScope databaseScope -DatabaseList database2     (this is what will prohibit user1 from performing any action on a database he doesn’t have access to.)    

New-ManagementRoleAssignment -Role “Mail Recipient Creation” -SecurityGroup databaseRoleGroup -CustomConfigWriteScope databaseScope

If you’re running into this issue I recommend removing the groups and scopes you’ve already created and starting fresh using EMS, we ran into some odd things being displayed if we attempted to use the pre-existing groups. 

Comments (0)