Symptoms
Consider the following scenario:
-
You create a management role assignment in a Microsoft Exchange Server 2010 environment.
-
You assign the Mail Recipients role to a role assignee.
-
You define the scope of the role assignment to an organizational unit.
-
The role assignee tries to run the Add-MailboxPermission command or the Remove-MailboxPermission command on an Exchange Server 2010 server that is outside the role assignment scope.
In this scenario, the role assignee can unexpectedly run the Add-MailboxPermission command or the Remove-MailboxPermission command on the server.
Cause
This issue occurs because there is no Role Based Access Control (RBAC) verification when Exchange Server 2010 runs the Add-MailboxPermission command or the Remove-MailboxPermission command.
Resolution
To resolve this issue, install the following update rollup:
2608646 Description of Update Rollup 6 for Exchange Server 2010 Service Pack 1
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
For more information about the Add-MailboxPermission command, visit the following Microsoft website:
General information about the Add-MailboxPermission commandFor more information about the Remove-MailboxPermission command, visit the following Microsoft website:
General information about the Remove-MailboxPermission commandFor more information about the New-ManagementRoleAssignment command, visit the following Microsoft website:
General information about the New-ManagementRoleAssignment commandFor more information about management role assignments, visit the following Microsoft website: