Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

New-MailboxRepairRequest doesn't honor RBAC RecipientWriteScope restrictions in Exchange Server 2016


View products that this article applies to.

Symptoms

Consider the following scenario in Microsoft Exchange Server 2016:

  • You create a customized management role that is based on the "Mail Recipients" role, and you remove role entries except the *MailboxRepairRequest entries by using the following cmdlets:
     

    New-ManagementRole -name ManagementRoleName -Parent "Mail Recipients"

    Get-ManagementRole ManagementRoleName | Get-ManagementRoleEntry | where {$_.Name -notlike "*RepairRequest*"} | Remove-ManagementRoleEntry

  • You create two security groups. One is SG_recipient group, and the other is SG_admin group.
  • You create a regular management scope that has recipient restriction to a specific security group by using the following cmdlet:
     

    New-ManagementScope ManagementScopeName -RecipientRestrictionFilter "MemberOfGroup -eq 'CN=SG_recipient,CN=Users,DC=DomainName,DC=xxxx,DC=xxxx,DC=com'"(Doesn’t use OU=Users, but CN=Users)

  • You associate the scope with a management role assignment that assigns the customized management role to a security group. Yo use the following cmdlet:
     

    New-ManagementRoleAssignment -Name RoleAssignName -Role ManagementRoleName -CustomRecipientWriteScope ManagementScopeName -SecurityGroup SG_admin

  • You let a member in the security group SG_admin run the New-MailboxRepairRequest cmdlet for a mailbox that's not in the ManagementScopeName scope.

In this scenario, the cmdlet runs successfully. It's expected that the operation on the mailbox fails because it's out of the range of the current user's write scope.

↑ Back to the top


Cause

This issue occurs because there are no checks for the scope when it runs the New-MailboxRepairRequest cmdlet.

↑ Back to the top


Resolution

To fix this issue, install Cumulative Update 12 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top


Keywords: kbContentAuto, CI87424, kb, kbfix, kbqfe, kbsurveynew, kbexpertiseadvanced, New-MailboxRepairRequest doesn't honor RBAC RecipientWriteScope restrictions

↑ Back to the top

Article Info
Article ID : 4456239
Revision : 12
Created on : 2/13/2019
Published on : 2/13/2019
Exists online : False
Views : 340