Article ID: 2489130 - Last Review: July 28, 2011 - Revision: 3.0

A RBAC role assignee can unexpectedly change mailbox properties that are outside the management role group scope in an Exchange Server 2010 environment

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:  
  • You create a management role assignment in a Microsoft Exchange Server 2010 environment.
  • You assign the Mail Recipients role to a role assignee.
  • You define the scope of the role assignment to an organizational unit.
  • The role assignee tries to change mailbox properties that are outside the management role group scope by using the Set-CalendarProcessing cmdlet.
In this scenario, the role assignee can unexpectedly change the mailbox properties successfully. 
Back to the top

CAUSE

This issue occurs because there is no Role Based Access Control (RBAC) scope verification when Exchange Server 2010 run the Set-CalendarProcessing cmdlet.
Back to the top

RESOLUTION

To resolve this issue, install the following update rollup:
2579150  (http://support.microsoft.com/kb/2579150/ ) Description of Update Rollup 4 for Exchange Server 2010 Service Pack 1
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

MORE INFORMATION

For more information about Role Based Access Control, visit the following Microsoft website:
General information about Role Based Access Control (http://technet.microsoft.com/en-us/library/dd298183.aspx)
For more information about management role assignments, visit the following Microsoft website:
General information about management role assignments (http://technet.microsoft.com/en-us/library/dd335131.aspx)
For more information about the Set-CalendarProcessing cmdlet, visit the following Microsoft website:
General information about the Set-CalendarProcessing cmdlet (http://technet.microsoft.com/en-us/library/dd335046.aspx)
For more information about the Mail Recipients role, visit the following Microsoft website:
General information about the Mail Recipients role (http://msdn.microsoft.com/en-us/library/dd876911(v=EXCHG.140).aspx)
Back to the top
APPLIES TO
  • Microsoft Exchange Server 2010 Service Pack 1, when used with:
    • Microsoft Exchange Server 2010 Enterprise
    • Microsoft Exchange Server 2010 Standard
Back to the top
Keywords: 
kbqfe kbfix kbsurveynew kbexpertiseinter kbhotfixrollup KB2489130
Back to the top