Applies ToExchange Server 2010

Symptoms

Consider the following scenario:

  • In a Microsoft Exchange Server 2010 environment, you create a scoped management role assignment which assigns the Active Directory Permissions or Mail Recipients roles.

  • You assign the role assignment to a role assignee.

  • The role assignee tries to run the Add-ADPermission command against a mailbox that is outside of the role assignment scope.

In this scenario, the role assignee can unexpectedly run the Add-ADPermission command against the out of scope mailbox. 

Cause

This issue occurs because there is no Role Based Access Control (RBAC) scope verification when Exchange Server 2010 runs the Add-ADPermission command.

Resolution

To resolve this issue, install the following update rollup:

2582113 Description of Update Rollup 5 for Exchange Server 2010 Service Pack 1

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about Role Based Access Control, visit the following Microsoft website:

General information about Role Based Access ControlFor more information about management role assignments, visit the following Microsoft website:

General information about management role assignmentsFor more information about the Add-ADPermission command, visit the following Microsoft website:

General information about the Add-ADPermission commandFor more information about the Active Directory Permissions role, visit the following Microsoft website:

General information about the Active Directory Permissions role

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.