Symptoms
Consider the following scenario in Microsoft Exchange Server 2016:
-
You create a customized management role that is based on the "Mail Recipients" role, and you remove role entries except the *MailboxRepairRequest entries by using the following cmdlets:
New-ManagementRole -name ManagementRoleName -Parent "Mail Recipients"
Get-ManagementRole ManagementRoleName | Get-ManagementRoleEntry | where {$_.Name -notlike "*RepairRequest*"} | Remove-ManagementRoleEntry
-
You create two security groups. One is SG_recipient group, and the other is SG_admin group.
-
You create a regular management scope that has recipient restriction to a specific security group by using the following cmdlet:
New-ManagementScope ManagementScopeName -RecipientRestrictionFilter "MemberOfGroup -eq 'CN=SG_recipient,CN=Users,DC=DomainName,DC=xxxx,DC=xxxx,DC=com'"(Doesn’t use OU=Users, but CN=Users)
-
You associate the scope with a management role assignment that assigns the customized management role to a security group. Yo use the following cmdlet:
New-ManagementRoleAssignment -Name RoleAssignName -Role ManagementRoleName -CustomRecipientWriteScope ManagementScopeName -SecurityGroup SG_admin
-
You let a member in the security group SG_admin run the New-MailboxRepairRequest cmdlet for a mailbox that's not in the ManagementScopeName scope.
In this scenario, the cmdlet runs successfully. It's expected that the operation on the mailbox fails because it's out of the range of the current user's write scope.
Cause
This issue occurs because there are no checks for the scope when it runs the New-MailboxRepairRequest cmdlet.
Resolution
To fix this issue, install Cumulative Update 12 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.
