Consider the following scenario in Microsoft Exchange Server 2016:
- You create a customized management role that is based on the "Mail Recipients" role, and you remove role entries except the *MailboxRepairRequest entries by using the following cmdlets:
New-ManagementRole -name ManagementRoleName -Parent "Mail Recipients"
Get-ManagementRole ManagementRoleName | Get-ManagementRoleEntry | where {$_.Name -notlike "*RepairRequest*"} | Remove-ManagementRoleEntry
- You create two security groups. One is SG_recipient group, and the other is SG_admin group.
- You create a regular management scope that has recipient restriction to a specific security group by using the following cmdlet:
New-ManagementScope ManagementScopeName -RecipientRestrictionFilter "MemberOfGroup -eq 'CN=SG_recipient,CN=Users,DC=DomainName,DC=xxxx,DC=xxxx,DC=com'"(Doesn’t use OU=Users, but CN=Users)
- You associate the scope with a management role assignment that assigns the customized management role to a security group. Yo use the following cmdlet:
New-ManagementRoleAssignment -Name RoleAssignName -Role ManagementRoleName -CustomRecipientWriteScope ManagementScopeName -SecurityGroup SG_admin
-
You let a member in the security group SG_admin run the New-MailboxRepairRequest cmdlet for a mailbox that's not in the ManagementScopeName scope.
In this scenario, the cmdlet runs successfully. It's expected that the operation on the mailbox fails because it's out of the range of the current user's write scope.