No announcement yet.

Exch 2010: RBAC Permissions, Management Scopes and Impersonations

  • Filter
  • Time
  • Show
Clear All
new posts

  • Exch 2010: RBAC Permissions, Management Scopes and Impersonations

    I'm trying to correct some errors we're having with CRM4.0 and a consultant/MS Engineer ive been talking to about the problems are convinced that the problem lies with the RBAC permissions in Exch 2010.

    MS have suggested following this guide:
    To solve the issue, however i believe the blog post is flawed as it assumes one user only for impersonation, when we in fact need 3. I've tried modifying the commands to use the 'root' properties of the command to filter based on a specific OU in Active Directory rather than on a specific user name, but this doesn't appear to make any difference.

    Just so i understand the processes:
    A role is basically a group, a scope is what you apply to the role and that defines what it can and cant do. And you apply a role to a user to set the user to be capable of what the scope specifiys.


  • #2
    Re: Exch 2010: RBAC Permissions, Management Scopes and Impersonations

    A role is a permission or a set of permissions combined into something usable while administering with RBAC. It defines which tasks the user or the group that have this role assigned is able to do.
    To see what predefined roles are available you can run the command

    A defined scope is a restriction since if you don't configure a custom scope the basic scope of the assigned role is used which is most likely the whole organization or Active Directory.

    If you want to grant this permission to more then one user I would create a Management Role Group instead of assigning the role to a single user. So the steps would be:

    1. Create a Management Scope based on a recipient root
    new-managementscope "bla" -RecipientRoot "Domain or a OU within"

    2. Create a new role group using
    new-rolegroup "Group-Bla" -Roles "ApplicationImpersonation” -CustomConfigWriteScope "bla"

    3. Put user into the newly created group which you can find in the Microsoft Exchange Security Groups - OU in the root domain.