Exchange Troubleshooting: RBAC error – Disable-Mailbox isn’t within your current write scopes. Can’t perform save operation

  • Article

Just recently ran into this problem and thought of sharing this which might be helpful to others in similar situations.

Created an RBAC Role group and a write scope for a group of admins to create and manage mailboxes in a few mailbox databases.

All the role group was created successfully and role entries seem to be working fine without any issues except for the disable-mailbox and enable-mailbox.

So when the assigned role admins were able to create, modify, and remove mailboxes, mail universal distribution groups, mail contacts, mail universal security groups, and dynamic distribution groups, but they weren’t able to enable or disable any of the objects on their own.

When they tried to enable or disable any mailboxes, they get the below error:

https://exchangequery.files.wordpress.com/2015/02/rbac_no_enable-mailbox_error.png?w=600

Ran the command Get-ManagementScope Scopename | Fl to see the recipient filter types.

Was able to see the recipient type user mailbox, mail enabled contacts, mail contacts, mail universal security groups and dynamic distribution. But still, it was not working.

Later we identified the problem. Enable-Mailbox and Disable-Mailbox will remove only the exchange attributes from the user account and leaves the user account and the mailbox in the retention.

For this functionality to work we need to have AD permission for the user in the RBAC to perform this operation.

So we need to add the recipient filter (recipientType -eq ‘user’ ) which will grant AD permission to the desired RBAC custom group which will grant permissions to those RBAC admins.

Have added list of possible entries below that would be helpful for the help-desk team since by running only the above will remove the other permissions.

So for helpdesk to manage the normal daily operations the below entries will be sufficient along with (recipientType -eq ‘user’ ) added.

Set-ManagementScope “ENTER THE RBAC GROUP” -RecipientRestrictionFilter {(RecipientType -eq ‘usermailbox’) -or (recipientType -eq ‘user’) -or (recipientType -eq ‘mailuser’) -or (recipienttype -eq ‘mailcontact’) -or (recipienttype -eq ‘mailuniversaldistributiongroup’) -or (recipienttype -eq ‘mailuniversalsecuritygroup’)}

After the above we successfully were able to come out of the error.:)