Symptoms
In a Microsoft Exchange Server 2016 environment, consider the following scenario:
- You create a Role Based Access Control (RBAC) management role by adding certain management role entries that are based on the Unified Messaging (UM) Mailboxes role, such as the Set-UMMailboxPIN cmdlet.
-
You create a management scope by using a recipient restriction filter and specify a particular organizational unit (OU) to the filter.
-
You create a management role group that has this management role and management scope assigned.
In this scenario, when admin members in the management role group run the Set-UMMailboxPIN cmdlet, they can reset the PINs on the UM-enabled mailboxes for users who are outside the scoped OU.
Cause
This issue occurs because the recipient restriction filter isn't correctly handled during running the cmdlet.
Resolution
To fix this issue, install Cumulative Update 9 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.