RO Exchange blogging @ EHL(R)O

RO Exchange engineers share news or just interesting solutions with you

RBAC - How To implement Exchange 2003 Admin Group model

RBAC - How To implement Exchange 2003 Admin Group model

  • Comments 2
  • Likes

Let’s say that in Exchange 2010 via RBAC you are trying to implement the Admin Group permission model used in Exchange 2003, where you typically had Admin Groups split up based on AD Sites (geographical location).


Say for example Each Admin Group had delegated rights to a specific User or Security Group, so each Exchange Admin would only be able to manage their own Admin Groups and the servers in the respective Admin Groups.


Starting with Exchange 2007 we only have 1 Admin Group Exchange Administrative Group (FYDIBOHF23SPDLT) where all Exchange 2007 and 2010 Servers are installed.


In Exchange 2010 via RBAC you can accomplish a similar permission model:


1)      Create a new Management Scope restricted to only the servers in a specific AD Site.

New-ManagementScope -Name "scope_server_siteA" - ServerRestrictionFilter “(Serversite -eq ’DN of Default-First-Site-Name’)"

2)      Afterwards create a new Role Group and assign the necessary roles:

 New-RoleGroup –Name “Admins_SiteA_RoleGroup” -Roles “Exchange Servers", "Exchange Virtual Directories", "Transport Queues", "Exchange Connectors", "Exchange Server Certificates", "Databases", "Monitoring", "POP3 And IMAP4 Protocols", "Database Copies", "Receive Connectors" – CustomConfigWriteScope " scope_server_siteA "

3)      Create new security group for Admins via ADUC  named "SiteA_Admins_USG";

4)      Make Group " SiteA_Admins_USG " member of new Role Group " Admins_SiteA " with Add-RoleGroupMember

Add-RoleGroupMember " Admins_SiteA_RoleGroup" -Member "SiteA_Admins_USG"


That’s it.


  • Very Useful - thank you!

  • Helped me a lot..Thanks for the post

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment