This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
Please excuse me for partially the same question as was posted here, but I'd like to illustrate the whole configuration process and find out what (if) was done wrong.
The theory - Create a custom management scope for In-Place eDiscovery searches
The practice:
Checking:
Testing:
Please note that since the eDiscovery/in-hold tab does appear on Bail's ECP the Test_Discovery_Manager role group assignment has worked correctly.
What's wrong with the scope permissions?
Thank you in advance,
Michael
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
@Mikhail Firsov
Hi,Michael.
I noticed that you mentioned you are using Exchange 2019 in the former post.
And I tested in my lab (both in Exchange 2019 CU2 and Exchange 2016 CU13) and got the same result.
The problem may be resulted from the distribution group not being resolved correctly into the mailbox addresses of members in this group.
As the error message statued "You don't have sufficient permissions to search the mailbox..."(while actually it's a distribution group) and accroding to this article from Exchange Team Blog.
I suppose that it may be a bug.
As a workaround,you can try manually selecting all specific mailboxes in the distribution group instead of selecting the distribution group directly.
In my test,the search can complete without the permission error.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi KaelYao-MSFT,
Before creating new searches I always check whether the -Filter is working: (I just did not post it):
... I assumed that if the -Filter in Get-Recipient is working then - theoretically - the -RecipientRestrictionFilter in the NewScope cmdlet should also work. Since the search does succeed for a mailbox (not a group!) that is part of the custom scope the assumption was correct. And you right: changing the group to a user mailbox from that group leads to the search creating successfully:
Furthermore, I did see somewhere on technet the article discribing the issue (a bug?) with resolving distribution groups - as far as I see it's exactly the same problem. I just don't remeber that the article contained something like "this issue will be fixed in ...".
I also think this is the bug and administrators must know that this would not work:
Thank you very much for your help!
Regards,
Michael Firsov
@Mikhail Firsov
Hi,Michael.
Thanks for your sharing and understanding.
I also checked that the filter is working fine (it can output all mailboxes in the distribution group correctly)
and suppose that the problem occurs when using EAC to start a search.
Somehow the distribution group was just not resolved (into mailboxes in it) and itself was considered a mailbox.
Thus it doesn't match the distinguished name in the filter(supposed to be mailboxes in the group),and then generates a permission error.
While if not using the custom management scope setting,it is working fine without such problem.
If it is confimred to be a bug,I suppose we have to wait for CU updates to get it repaired.
Sorry for the inconvenience.
P.S. I find it rather serious bug because it's easy to select several users instead of the group name in the test environment but in real networks distribution groups may contain hundreds or thousands members!
Thank you, KaelYao-MSFT!