I would always suggest you do administration with a local account. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Orlebeck, Geoffrey Sent: Tuesday, September 20, 2016 12:15 PM To: 'exchange@lists.myitforum.com' Subject: [Exchange] Cross-Forest RBAC:
We have two separate forests with two-way transitive trusts between them. We are working on consolidating them down to a single forest single domain. However, in the interim we want to allow Helpdesk staff from one forest (Forest A) to create/manage mailboxes in the other forest (Forest B). From everything I've read thus far the RBAC groups are all scoped Universal. When I try to create a custom RBAC policy it only allows me to select Universal scoped groups. Reading about nesting groups it appears Universal groups cannot contain Domain Local or 'externally trusted' user accounts. So that being the case, is it possible to allow a user in an externally trusted forest to have access to create/manage mailboxes, or would it require that a user from Forest A have an AD account in Forest B in order to manage mailboxes in Forest B's Exchange environment? Forest Functional levels are 2008 R2 Both running Exchange 2010 SP3 (not sure specific UR levels, but minimum UR10) Thank you for any input. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.