I need to define several custom Management Roles in an Exchange 2013 environment, whose scopes must be limited to recipients in specific OUs; however, these OUs are at the same AD level with other ones, which must not be included in the role scopes.
Sample scenario:
Domain
- OU1
-- OU11
-- OU12
-- OU13
-- OU14
-- OU15
- OU2
-- OU21
-- OU22
-- UO23
-- OU24
-- OU25
I need f.e. to allow an user (or a group) to manage recipients in OU12, OU13 and OU14, but not anywhere else. I can't change the OU structure, thus I can't create an intermediate OU, move those ones below it and then scope the Management Role to that OU.
Is it possible to include several OUs in the scope of a Management Role Assignment? Or instead is the OU scope limited to only a single OU?
N.B. I know I can use LDAP filtering on the object DNs as a workaround, but I'd really prefer to avoid such a clumsy solution.
