Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. An RBAC role assignee can unexpectedly change a DAG that is outside the management role group scope in an Exchange Server 2010 environment

An RBAC role assignee can unexpectedly change a DAG that is outside the management role group scope in an Exchange Server 2010 environment

Symptoms

Consider the following scenario:
  • You have some database availability groups (DAGs) in a Microsoft Exchange Server 2010 environment.
  • You create a management role assignment in the environment.
  • You assign management roles to a role assignee.
  • You define the scope of the role assignment to a member mailbox server in a DAG.
  • The role assignee tries to make some changes to another DAG that is outside the scope of the management role group by using one of the following cmdlets:
    • New-DatabaseAvailabilityGroup
    • Set-DatabaseAvailabilityGroup
    • Remove-DatabaseAvailabilityGroup
    • Stop-DatabaseAvailabilityGroup
    • Start-DatabaseAvailabilityGroup
In this scenario, the role assignee can unexpectedly change the DAG successfully.

↑ Back to the top

Cause

This issue occurs because there is no Role Based Access Control (RBAC) scope validation when Exchange Server 2010 runs *-DatabaseAvailabilityGroup cmdlets.

↑ Back to the top

Resolution

To resolve this issue, install the following update rollup:
2785908 Description of Update Rollup 5 version 2 for Exchange Server 2010 Service Pack 2

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about management role scopes, go to the following Microsoft website:
Understanding management role scopes
For more information about the New-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the New-DatabaseAvailabilityGroup cmdlet
For more information about the Set-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the Set-DatabaseAvailabilityGroup cmdlet
For more information about the Remove-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the Remove-DatabaseAvailabilityGroup cmdlet
For more information about the Stop-DatabaseAvailabilityGroupcmdlet, go to the following Microsoft website: 
General information about the Stop-DatabaseAvailabilityGroup cmdlet
For more information about the Start-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the Start-DatabaseAvailabilityGroup cmdlet

↑ Back to the top

Keywords: kbqfe, kbfix, kbexpertiseinter, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 2720017
Revision : 1
Created on : 1/7/2017
Published on : 12/14/2012
Exists online : False
Views : 262