As described in the TechNet forums (link http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/92925f7c-97ba-4a96-a4c4-33c193a7b201), I had the same problem when delegating permissions using RBAC, and setting a scope to a subset of users in my Exchange 2010 RTM organization.
For example, when delegating the “Mail Recipients” role to a user and adding the parameter RecipientOrganizationalUnitScope to make sure the user could only manage mail recipients located in one particular Organizational Unit, the user was able to manage only the intended recipients using both the Exchange Management Console, and using the Exchange Management Shell, but when using the Exchange Control Panel, all recipients would be marked as read-only.
Let’s see if this is different in an Exchange 2010 organization deployed with Sp1 Beta, available for download here.
I want my user “Admin1” to be able to manage all mailbox-enabled users that have customattribute6 set to a value of “Sunshine”.
In my environment, I have a total of 44 mailbox-enabled users, of which 11 have been given a value of “Sunshine” for customattribute6.
To create the scope, I’m using the EMS cmdlet New-ManagementScope, named “CA6 = Sunshine”, and define two criteria:
- only mailbox-enabled users
- that have a value set to “Sunshine” for CustomAttribute6.
Using the cmdlet Get-Recipient, it is easy to see which objects fall within the defined scope:
I want my Admin1 to be able to manage all mail recipients, EXCEPT for changing the value of CustomAttribute6.
Therefore I will create a new management role, by copying the existing Mail Recipients role, and remove the parameter CustomAttribute6 from the list of parameters that can be changed. In addition, I do not want my Admin1 to be able to change the phone number, since these numbers are linked to my CS14 environment!
First, copy the existing management role of Mail Recipients:
Second, remove the parameters of Phone and CustomAttribute6!
In Exchange 2010 Sp1 Beta, it is possible to create a new role group using the Exchange Control Panel.
Logging into OWA as Administrator, I go to Options, and there I select to manage My Organization.
In the left pane I select to manage Roles & Auditing
And click New…and give the new role group a name, a description, select the just created scope and role, and add Admin1 to the new group!
After clicking Save, it is time to test :-)
When launching EMC, logged on as Admin1, I can see the necessary information is retrieved..
When trying to change a setting for user1, I get an access denied,
When a mailbox-enabled user falls into my management scope, I can change anything, except for the value of CustomAttribute6.
And yes…it works :-)
All settings for users out of management scope are greyed out, I can change any permitted setting for a user in my management scope
Lots of fun coming our way with Exchange 2010 Sp1 :-)