Share via

N SS' isn't within your current write scopes.

Tom1156 80 Reputation points
2024-09-17T16:37:19.84+00:00

I am running a command to export a specific user's email based on certain conditions.

The account I used to log in already has the Mailbox Import Export role

Command-

New-MailboxExportRequest 
-Mailbox NSS
-ContentFilter {(Sender -eq '@dd.com')} 
-FilePath \\E1\Export\NSS.pst

I have successfully exported email addresses for many users, but when I tried to export email addresses for this specific user, I received the following error-

'domain.local/domain/Users/SUsers/N SS' isn't within your current write scopes. Can't perform save operation. + CategoryInfo : InvalidArgument: (NSS:MailboxOrMailUserIdParameter) [New-MailboxExportRequest], AD
ScopeException + FullyQualifiedErrorId : [Server=E2,RequestId=c68c16fd-523d-4989-b846-a5072a5ebae6,TimeStamp=9/16/2024 10:32:5 7 PM] [FailureCategory=Cmdlet-ADScopeException] E193E48B,Microsoft.Exchange.Management.RecipientTasks.NewMailboxEx
portRequest + PSComputerName : e2.domain.local
Microsoft Exchange Online
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,076 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Zhang-MSFT 390 Reputation points Microsoft Vendor
    2024-09-18T06:23:03.12+00:00

    Hello, @Tom1156,

    Welcome to the Microsoft Q&A platform!

    Based on your description, I understand that you received the error “N SS' isn't within your current write scopes” when you used the New-MailboxExportRequest command to export email addresses for a specific user.

    The error indicates that the user that you are trying to use your export command from (your own admin account) does not have sufficient rights to do the operation, likely due to a Role-Based access Control Filter (RBAC).

    To resolve your issue, I suggest you use the following command to see if your administrator account is in the RBAC group that has access to the object.

    Get-ManagementRoleAssignment -WritableRecipient NNS -GetEffectiveUsers

    If not, and you need an RBAC group with access rights to all types of mailboxes and exchange type groups you should be able give an RBAC group access with this:

    Set-ManagementScope “ENTER THE RBAC GROUP” -RecipientRestrictionFilter {(RecipientType -eq ‘usermailbox’) -or (recipientType -eq ‘user’) -or (recipientType -eq ‘mailuser’) -or (recipienttype -eq ‘mailcontact’) -or (recipienttype -eq ‘mailuniversaldistributiongroup’) -or (recipienttype -eq ‘mailuniversalsecuritygroup’)}

    One point to note is, if you are not the only administrator of this Exchange environment you might what to check with your co-admins if there is a reason that the access rights is set up that way.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thank you for your support and understanding.

    Best Wishes,

    Alex Zhang

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.