DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2720017 - Last Review: December 14, 2012 - Revision: 3.0

Symptoms

Consider the following scenario:
  • You have some database availability groups (DAGs) in a Microsoft Exchange Server 2010 environment.
  • You create a management role assignment in the environment.
  • You assign management roles to a role assignee.
  • You define the scope of the role assignment to a member mailbox server in a DAG.
  • The role assignee tries to make some changes to another DAG that is outside the scope of the management role group by using one of the following cmdlets:
    • New-DatabaseAvailabilityGroup
    • Set-DatabaseAvailabilityGroup
    • Remove-DatabaseAvailabilityGroup
    • Stop-DatabaseAvailabilityGroup
    • Start-DatabaseAvailabilityGroup
In this scenario, the role assignee can unexpectedly change the DAG successfully.

Cause

This issue occurs because there is no Role Based Access Control (RBAC) scope validation when Exchange Server 2010 runs *-DatabaseAvailabilityGroup cmdlets.

Resolution

To resolve this issue, install the following update rollup:
2785908  (http://support.microsoft.com/kb/2785908/ ) Description of Update Rollup 5 version 2 for Exchange Server 2010 Service Pack 2

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

For more information about management role scopes, go to the following Microsoft website:
Understanding management role scopes (http://technet.microsoft.com/en-us/library/dd335146.aspx)
For more information about the New-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the New-DatabaseAvailabilityGroup cmdlet (http://technet.microsoft.com/en-us/library/dd351107.aspx)
For more information about the Set-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the Set-DatabaseAvailabilityGroup cmdlet (http://technet.microsoft.com/en-us/library/dd297934.aspx)
For more information about the Remove-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the Remove-DatabaseAvailabilityGroup cmdlet (http://technet.microsoft.com/en-us/library/dd335129.aspx)
For more information about the Stop-DatabaseAvailabilityGroupcmdlet, go to the following Microsoft website: 
General information about the Stop-DatabaseAvailabilityGroup cmdlet (http://technet.microsoft.com/en-us/library/dd335133.aspx)
For more information about the Start-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the Start-DatabaseAvailabilityGroup cmdlet (http://technet.microsoft.com/en-us/library/dd335076.aspx)
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.

Applies to
  • Microsoft Exchange Server 2010 Service Pack 1
  • Microsoft Exchange Server 2010 Service Pack 2
Keywords: 
kbqfe kbfix kbexpertiseinter kbsurveynew KB2720017
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support