Article ID: 2514766 - Last Review: August 26, 2011 - Revision: 2.0

A RBAC role assignee can unexpectedly run the Add-ADPermission command on an Exchange Server 2010 server that is outside the role assignment scope

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • In a Microsoft Exchange Server 2010 environment, you create a scoped management role assignment which assigns the Active Directory Permissions or Mail Recipients roles.
  • You assign the role assignment to a role assignee.
  • The role assignee tries to run the Add-ADPermission command against a mailbox that is outside of the role assignment scope.
In this scenario, the role assignee can unexpectedly run the Add-ADPermission command against the out of scope mailbox. 
Back to the top

CAUSE

This issue occurs because there is no Role Based Access Control (RBAC) scope verification when Exchange Server 2010 runs the Add-ADPermission command.
Back to the top

RESOLUTION

To resolve this issue, install the following update rollup:
2582113  (http://support.microsoft.com/kb/2582113/ ) Description of Update Rollup 5 for Exchange Server 2010 Service Pack 1
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

MORE INFORMATION

For more information about Role Based Access Control, visit the following Microsoft website:
General information about Role Based Access Control (http://technet.microsoft.com/en-us/library/dd298183.aspx)
For more information about management role assignments, visit the following Microsoft website:
General information about management role assignments (http://technet.microsoft.com/en-us/library/dd335131.aspx)
For more information about the Add-ADPermission command, visit the following Microsoft website:
General information about the Add-ADPermission command (http://technet.microsoft.com/en-us/library/bb124403.aspx)
For more information about the Active Directory Permissions role, visit the following Microsoft website:
General information about the Active Directory Permissions role (http://technet.microsoft.com/en-us/library/dd876845.aspx)
Back to the top
APPLIES TO
  • Microsoft Exchange Server 2010 Service Pack 1, when used with:
    • Microsoft Exchange Server 2010 Enterprise
    • Microsoft Exchange Server 2010 Standard
Back to the top
Keywords: 
kbqfe kbfix kbexpertiseinter kbhotfixrollup kbsurveynew KB2514766
Back to the top