As described in the TechNet forums (link, I had the same problem when delegating permissions using RBAC, and setting a scope to a subset of users in my Exchange 2010 RTM organization.

For example, when delegating the “Mail Recipients” role to a user and adding the parameter RecipientOrganizationalUnitScope to make sure the user could only manage mail recipients located in one particular Organizational Unit, the user was able to manage only the intended recipients using both the Exchange Management Console, and using the Exchange Management Shell, but when using the Exchange Control Panel, all recipients would be marked as read-only.

Let’s see if this is different in an Exchange 2010 organization deployed with Sp1 Beta, available for download here.

Step 1. Creating the WHERE = Creating a Management SCOPE

I want my user “Admin1” to be able to manage all mailbox-enabled users that have customattribute6 set to a value of “Sunshine”.

In my environment, I have a total of 44 mailbox-enabled users, of which 11 have been given a value of “Sunshine” for customattribute6.


To create the scope, I’m using the EMS cmdlet New-ManagementScope, named “CA6 = Sunshine”, and define two criteria:

- only mailbox-enabled users

- that have a value set to “Sunshine” for CustomAttribute6.


Using the cmdlet Get-Recipient, it is easy to see which objects fall within the defined scope:


Step 2. Define the WHAT = Creating or customizing a Management ROLE

I want my Admin1 to be able to manage all mail recipients, EXCEPT for changing the value of CustomAttribute6.

Therefore I will create a new management role, by copying the existing Mail Recipients role, and remove the parameter CustomAttribute6 from the list of parameters that can be changed. In addition, I do not want my Admin1 to be able to change the phone number, since these numbers are linked to my CS14 environment!

First, copy the existing management role of Mail Recipients:


Second, remove the parameters of Phone and CustomAttribute6!




Step 3. Define the WHO = Creating a ROLE GROUP

In Exchange 2010 Sp1 Beta, it is possible to create a new role group using the Exchange Control Panel.

Logging into OWA as Administrator, I go to Options, and there I select to manage My Organization.


In the left pane I select to manage Roles & Auditing


And click New…and give the new role group a name, a description, select the just created scope and role, and add Admin1 to the new group!



After clicking Save, it is time to test :-)

Step 4. Test using EMC

When launching EMC, logged on as Admin1, I can see the necessary information is retrieved..



When trying to change a setting for user1, I get an access denied,


When a mailbox-enabled user falls into my management scope, I can change anything, except for the value of CustomAttribute6.


Step 5. Test using the EMS

Same results…


Step 6. Test using ECP

And yes…it works :-)

All settings for users out of management scope are greyed out, I can change any permitted setting for a user in my management scope




Lots of fun coming our way with Exchange 2010 Sp1 :-)