question

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 asked MikhailFirsov-1277 answered

Custom Management Scope permission issue

Hello,

Please excuse me for partially the same question as was posted here, but I'd like to illustrate the whole configuration process and find out what (if) was done wrong.

The theory - Create a custom management scope for In-Place eDiscovery searches


The practice:

32274-test12-2.png


32303-test13.png


Checking:
32129-test14.png


Testing:
32284-test15.png


Please note that since the eDiscovery/in-hold tab does appear on Bail's ECP the Test_Discovery_Manager role group assignment has worked correctly.

What's wrong with the scope permissions?

Thank you in advance,
Michael


office-exchange-server-administrationoffice-exchange-online-itprooffice-exchange-server-mailflowoffice-exchange-server-connectivityoffice-exchange-hybrid-itpro
test13.png (37.4 KiB)
test14.png (170.3 KiB)
test15.png (60.8 KiB)
test12-2.png (44.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KaelYao-MSFT avatar image
0 Votes"
KaelYao-MSFT answered KaelYao-MSFT edited

@MikhailFirsov-1277
Hi,Michael.
I noticed that you mentioned you are using Exchange 2019 in the former post.
And I tested in my lab (both in Exchange 2019 CU2 and Exchange 2016 CU13) and got the same result.
32418-screenshot-01.png
The problem may be resulted from the distribution group not being resolved correctly into the mailbox addresses of members in this group.
As the error message statued "You don't have sufficient permissions to search the mailbox..."(while actually it's a distribution group) and accroding to this article from Exchange Team Blog.
32498-screenshot-02.png

I suppose that it may be a bug.
As a workaround,you can try manually selecting all specific mailboxes in the distribution group instead of selecting the distribution group directly.
In my test,the search can complete without the permission error.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


screenshot-01.png (20.3 KiB)
screenshot-02.png (107.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered KaelYao-MSFT edited

Hi KaelYao-MSFT,

Before creating new searches I always check whether the -Filter is working: (I just did not post it):
32601-test16.png


... I assumed that if the -Filter in Get-Recipient is working then - theoretically - the -RecipientRestrictionFilter in the NewScope cmdlet should also work. Since the search does succeed for a mailbox (not a group!) that is part of the custom scope the assumption was correct. And you right: changing the group to a user mailbox from that group leads to the search creating successfully:
32611-test17.png

32612-test18.png

Furthermore, I did see somewhere on technet the article discribing the issue (a bug?) with resolving distribution groups - as far as I see it's exactly the same problem. I just don't remeber that the article contained something like "this issue will be fixed in ...".

I also think this is the bug and administrators must know that this would not work:
32549-test19.png


Thank you very much for your help!

Regards,
Michael Firsov



test16.png (33.5 KiB)
test17.png (42.8 KiB)
test19.png (89.8 KiB)
test18.png (33.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MikhailFirsov-1277
Hi,Michael.
Thanks for your sharing and understanding.

I also checked that the filter is working fine (it can output all mailboxes in the distribution group correctly)
and suppose that the problem occurs when using EAC to start a search.
Somehow the distribution group was just not resolved (into mailboxes in it) and itself was considered a mailbox.
Thus it doesn't match the distinguished name in the filter(supposed to be mailboxes in the group),and then generates a permission error.
While if not using the custom management scope setting,it is working fine without such problem.

If it is confimred to be a bug,I suppose we have to wait for CU updates to get it repaired.
Sorry for the inconvenience.


0 Votes 0 ·
MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

P.S. I find it rather serious bug because it's easy to select several users instead of the group name in the test environment but in real networks distribution groups may contain hundreds or thousands members!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

Thank you, KaelYao-MSFT!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.