A RBAC role assignee can unexpectedly run the Add-ADPermission command on an Exchange Server 2010 server that is outside the role assignment scope
Consider the following scenario:
- In a Microsoft Exchange Server 2010 environment, you create a scoped management role assignment which assigns the Active Directory Permissions or Mail Recipients roles.
- You assign the role assignment to a role assignee.
- The role assignee tries to run the Add-ADPermission command against a mailbox that is outside of the role assignment scope.
In this scenario, the role assignee can unexpectedly run the Add-ADPermission
command against the out of scope mailbox.
This issue occurs because there is no Role Based Access Control (RBAC) scope verification when Exchange Server 2010 runs the Add-ADPermission command.
To resolve this issue, install the following update rollup:
Description of Update Rollup 5 for Exchange Server 2010 Service Pack 1
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about Role Based Access Control, visit the following Microsoft website:
For more information about management role assignments, visit the following Microsoft website:
For more information about the Add-ADPermission
command, visit the following Microsoft website:
For more information about the Active Directory Permissions
role, visit the following Microsoft website:
Article ID: 2514766 - Last Review: 08/26/2011 09:13:00 - Revision: 2.0
- Microsoft Exchange Server 2010 Service Pack 1
- kbqfe kbfix kbexpertiseinter kbhotfixrollup kbsurveynew KB2514766