Do not move RBAC Role Groups out of the Exchange Security Group OU

Exchange 2010 has a massively improved admin permission model. It’s called Role Based Access Control and with it you can use predefined roles or make very customized roles if needed.

I won’t go into details how it works, for the purpose of this issue you only need to know that the RBAC roles are assigned via RBAC Role Groups. These are actual Security groups within Active Directory and when assigned a RBAC Role Group within Exchange, the user is a member of the corresponding Role Group.

The Exchange RBAC Role Groups are stored in the Microsoft Exchange Security Groups OU, which can be seen with Active Directory Users and Computers (ADUC) MMC. See image below at the left pane.

Exchange Role Groups are just Security Groups in the Microsoft Exchange Security Groups OU

In the right-hand pane the RBAC Role Groups are listed. On the top are several custom Role Groups starting with ADM_.

The environment in question had designed a elaborate Delegation of Control model, in which all relevant groups would reside in controllable OU’s. Even for administrative roles with specific permissions to the infrastructure. To stay complaint to this model, we wanted to move the custom Role Groups to the specific IT-Infrastructure OU with other Security Groups.

Unfortunately this wasn’t possible with RBAC Role Groups. When moved out of this OU, Exchange will not list them as a valid Role Group and you cannot assign it.

Get-RoleGroup before moving my custom Role Groups via ADUC to another OU:

Listing all Role Groups

After moving:

The Get-RoleGroup doesn't show the group, after moving it out of the Exchange Security OU

Luckily it is probably more cosmetic than an functional issue, I could still assign users to the Role Group with Add-RoleGroupMember. Probably Get-RoleGroup is scoped to this specific OU. See below that assigning still works:

The Get-RoleGroup doesn't show the group, but you can still assign users to it.a

Checking with ADUC confirmed that the users was assigned to the role, although I didn’t check whether the role was actually working.

In any case, concluding: I wouldn’t move the Exchange Role Groups out of the Exchange Security Group OU. It could possibly break scripts or other mechanisms that count on those groups to be present in this specific OU.

This was an environment with Exchange 2010 Service Pack 1 RU4v2. Unfortunately I couldn’t check other patch levels.

One comment

  • uTILLIty

    thanks! unfortunately any attempt to install a cummulative update later on also fails with a weird error message, if you move the whole OU somewhere else in the tree:

    Error:
    The following error was generated when “$error.Clear();
    initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions

    ” was run: “System.NullReferenceException: Object reference not set to an instance of an object.
    at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateOrMoveEWPGroup(ADGroup ewp, ADOrganizationalUnit usgContainer)
    at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()
    at Microsoft.Exchange.Configuration.Tasks.Task.b__b()
    at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
    at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage, Action initFunc, Action mainFunc, Action completeFunc)
    at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
    at System.Management.Automation.CommandProcessor.ProcessRecord()”.

    My solution was to move it back and setup (specifically the following command: setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms) worked.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *