Symptoms
Consider the following scenario:
-
You create a management role assignment in a Microsoft Exchange Server 2010 environment.
-
You assign the Mail Recipients role to a role assignee.
-
You define the scope of the role assignment to an organizational unit.
-
The role assignee tries to change mailbox properties that are outside the management role group scope by using the Set-CalendarProcessing cmdlet.
In this scenario, the role assignee can unexpectedly change the mailbox properties successfully.
Cause
This issue occurs because there is no Role Based Access Control (RBAC) scope verification when Exchange Server 2010 run the Set-CalendarProcessing cmdlet.
Resolution
To resolve this issue, install the following update rollup:
2579150 Description of Update Rollup 4 for Exchange Server 2010 Service Pack 1
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
For more information about Role Based Access Control, visit the following Microsoft website:
General information about Role Based Access ControlFor more information about management role assignments, visit the following Microsoft website:
General information about management role assignmentsFor more information about the Set-CalendarProcessing cmdlet, visit the following Microsoft website:
General information about the Set-CalendarProcessing cmdletFor more information about the Mail Recipients role, visit the following Microsoft website: