Exchange 2010: Can you scope permissions to more than one OU?
About a month ago I got the following mail:
Hi Ilse I know you had a RBAC Session at Teched. We tried to scope to multiple OU's as described in this article without any success. http://technet.microsoft.com/en-us/library/dd638181(EXCHG.149).aspx RecipientOrganizationalUnitScope use the syntax: domain /OU 1/OU 2/OU N (where N is the designation of each of the specified OUs). Unfortunately we can't find a real example. Have you ever tried this parameter with multiple OU's Thanks in advance Fabian
Not sure why it wouldn’t work as stated in the TechNet Article, it was definitely an interesting question to check out.
Step 1. Setting the scene…
In my demo environment I have a few Organizational Units, as can be seen in the print screen here:
The goal would be to create a new group “Studio & Zaventem Admins”, and hand that group the right to manage the mail recipients in the Organizational Units Zaventem, and Studio:
Step 2. Follow the steps defined in the mentioned TechNet article
First try, create a new rolegroup, called Studio Admins, that will get the role of Mail Recipients, and will be able to manage a recipients located in the OU Studio, using the EMS line:
New-RoleGroup –Name “Studio Admins” –Roles “Mail Recipients” –RecipientOrganizationalUnitScope studio
And this one worked like a charm:
So now time to follow what’s specified in the TechNet article:
And enter the following line using the wonderful EMS:
New-RoleGroup –Name “Studio Admins” –Roles “Mail Recipients” –RecipientOrganizationalUnitScope studio,zaventem
But unfortunately, no go…
Using the Exchange Control Panel, no go either….
Question =
Does this mean it is impossible to scope a management role to more than one Organizational Unit?
Answer =
No 
Question =
How?
Answer =
Using nested OU’s…or using the power of RecipientFilters…(thank you Bharat Suneja for pointing this out)
Since I’m not using nested OU’s, I have to turn to RecipientFilters…
Step 3. Create a Custom Management Scope
Time to create a custom management scope, which includes the two Organizational Units, by using the RecipientRestrictionFilter.
Problem is that OrganizationalUnit is not in the list of filterable properties, all these properties are listed here:
http://technet.microsoft.com/en-us/library/bb738155(EXCHG.80).aspx
But, it is possible to use the DistinguishedName, which includes the Organization Unit:
So using the following RecipientRestrictionFilter will cover the two Organization Units in my environment:
New-ManagementScope –Name “Studio & Zaventem Admins” –RecipientRestrictionFilter { (DistinguishedName –Like “*,OU=Studio,DC=Lync,DC=local”) –OR (DistinguishedName –Like “*,OU=Zaventem,DC=Lync,DC=local”) }
And then creating the new role group, using the previous New-RoleGroup cmdlet, and adding the paramter CustomRecipientWriteScope!
New-RoleGroup –Name “Studio & Zaventem Admins” –Roles “Mail Recipients” –CustomRecipientWriteScope “Studio & Zaventem Admins”
Step 4. Time to Test
Adding user Studio1 to the newly created Universal Security Group:
Studio1is able to make changes to a mail recipient in OU Zaventem:
and OU Studio:
But not to a user in any other OU:
Mission accomplished… RBAC really is: You Decide Who can do What on Which Objects in Your Exchange Environment!
Ilse
Comments
Anonymous
September 26, 2012
Is this available in all versions of Exchange 2010? I have SP1 installed and the filter creation failed. Does this require SP2?Anonymous
March 07, 2013
This doesn't work in SP3 either. I'm fairly certain they did away with this.Anonymous
July 04, 2013
Please Update all Code Samples with working Charsets,i've spenidng an hour in working with your code sample "new-ManagementScope ..." doesnt' work. Result = The dashes are not compatible with ps. Soulution = Copy Code into notepad and transcripe it. @Cody,@Jnaranjo: Hopefully this helps othersAnonymous
December 03, 2015
The comment has been removed