RBAC error – Disable-Mailbox isn’t within your current write scopes can’t perform save operation

I just recently ran into this problem and thought of sharing this which might be helpful to others in similar situations.

I just created a RBAC  Role group and a write scope for a group of admins to create and mange mailboxes in few mailbox databases.

All the role group was created successfully and role entries seems to be working fine without any issues except for the disable-mailbox and enable-mailbox.

So when the assigned role admins were able to create, modify , remove mailboxes, mail universal distribution groups , mail contacts , mail universal security groups , dynamic distribution groups but they weren’t able to enable or disable any of the objects on their own.

When they tried to enable  or disable any mailboxes  that they get the below error




I ran the command Get-ManagementScope Scopename | Fl to see the recipient filter types

I was able to see the recipient type user mailbox, mail enabled contacts, mail contacts , mail universal security groups  and dynamic distribution.

But still it was not working.

later i identified the problem. Enable-Mailbox and Disable-Mailbox will remove only the exchange attributes from the user account and leaves the user account and the mailbox in the retention.

For this functionality to work we will need to have AD permission for the user in the RBAC to perform this operation.

So we need to add the recipient filter  (recipientType -eq ‘user’ ) which will grant AD permission to the desired RBAC custom group which will grant permissions to those RBAC admins.

So i have added list of possible entries below that would be helpful for the help-desk team since by running only the above will remove the other permissions.

So for helpdesk to manage the normal daily operations the below entries will be sufficient along with  (recipientType -eq ‘user’ ) added.

Set-ManagementScope “ENTER THE RBAC GROUP” -RecipientRestrictionFilter {(RecipientType -eq ‘usermailbox’) -or (recipientType -eq ‘user’) -or (recipientType -eq ‘mailuser’) -or (recipienttype -eq ‘mailcontact’) -or (recipienttype -eq ‘mailuniversaldistributiongroup’) -or (recipienttype -eq ‘mailuniversalsecuritygroup’)}



Once after the above i was successfully able to come out of the error 🙂


Sathish Veerapandian

MVP – Exchange Server 




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: