Symptoms
After installing Rollup Update version 6 or higher for Exchange 2010 SP1 Multi-Tenant, mailbox permission management tasks like Grant mailbox permissions for mailbox fail with the following error message:
The operation on mailbox MAILBOX failed because it's out of the current user's write scope. The object MAILBOX must be within the read scope before and after it's modified. Can't perform the save operation.
Example of failed task:
Task name
Grant mailbox permissions for mailbox 'mbx' (id=6982)
Exception calling "Execute" with "3" argument(s): "The operation on mailbox "domain.tld/Microsoft Exchange Hosted Organizations/R0001000094/mbx" failed because it's out of the current user's write scope. The object 'domain.tld/Microsoft Exchange Hosted Organizations/R0001000094/mbx' must be within the read scope before and after it's modified. Can't perform the save operation."
Error position:
At C:\Program Files\Parallels\Windows Provisioning Engine\Providers\Common\ProviderUtils\ProviderUtils.psm1:53 char:26
+ [void]$Context.Execute <<<< ($Provider, $Method, $exec_data)
Type: Parallels.Wpe.PowerShell.PowerShellException.
Cause
Prior to Exchange 2010 Multi-tenant SP1 RU6, there was no Role Based Access Control (RBAC) verification when Exchange Server 2010 ran the Add-MailboxPermission or Remove-MailboxPermission PowerShell commands.
Therefore, a top-level admin account (such as the pem_admin account that POA uses for provisioning purposes) was previously able to make mailbox permission changes to child tenant accounts; this is the way POA works. However, starting from Exchange 2010 Multi-tenant SP1 RU6 onward, this is no longer allowed. These changes could only be made using a tenant Exchange organization admin user (which POA does not populate).
Resolution
Follow the steps below to work around the problem:
- Log on to the WPE (Windows Provsioning Engine) server under the Local or Domain Administrators account.
- Open the bin\ExchangeUtils.dll.config file from the WPE installation folder (the default path is C:\Program Files\Parallels\Windows Provisioning Engine). Make sure that extension of file is not typed twice and has exact name ExchangeUtils.dll.config. Otherwise WPE scripts will not be able to load and procedure will not work out.
- Change the Exchange PowerShell "cmdlets" execution mode (<powershell> tag) from the "remote" value to the "local" value (change <powershell mode="remote"> to <powershell mode="local">)
- Save the changes and restart IIS with the following command:
iisreset(optionaly) - Repeat the previous steps on all WPE servers in the AD domain where Exchange 2010 Multi-tenant SP1 or higher is installed. Solution confirmed to be working for Exchange version up to SP3 MT.
The change above forces the execution of all Exchange cmdlets locally on the WPE node, not remotely (as it is done by default). The RBAC security is not applied for such "local" calls, so POA will not have any access troubles anymore. Note: The ExchangeUtils.dll.config file can be overwritten by a new WPE version installation. So, this file should be checked and fixed manually after each POA update or major release installation.