Add-ADPermission and Remove-ADPermission can be run outside the management scope in Exchange Server 2013
Content provided by Microsoft
Applies to: Exchange Server 2013 EnterpriseExchange Server 2013 Standard Edition
Assume that you create a role assignment policy for the Active Directory permissions role with a scope that limits permissions of the cmdlets to the organizational unit that is specified in Microsoft Exchange Server 2013. The Add-ADPermission and Remove-ADPermission cmdlets can be run against any user object unexpectedly, even if the user object is outside the management scope.
Note The Add-ADPermission and Remove-ADPermission cmdlets can check whether the user who is being updated is within the management scope for the account that is running the cmdlet.