When you are a member of "Exchange Organization Administrators" or Organization Management role groups, it is perceived that you have all the rights that can be granted in an Exchange Organization and that you should be able to perform all tasks and run every cmdlet out there. That is until you try to run cmdlets specified in the Mailbox Import Export or Support Diagnostics RBAC roles.
When you try to run Import-Mailbox cmdlet as a member of the Organization Administrator role group, you get an error:
[PS] C:\Windows\system32>import-mailbox The term 'import-mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check The spelling of the name, or if a path was included, verify that the path is correct and try again. At line 1: char:15 + import-mailbox << + CategoryInfo : ObjectNotFound: (import-mailbox:string) , CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException
To find out who has permissions to run the cmdlet, you then run Get-ManagementRoleAssignment, Which returns only one assignment.
[PS] C:\Windows\system32> Get-ManagementRoleAssignment -role "Mailbox Import Export" | ft Identity Identity ---------- Mailbox Import Export-Organization Management-Delegating [PS] C:\Windows\system32> Get-ManagementRoleAssignment -role "Support Diagnostics" | ft Identity Identity ---------- Support Diagnostics-Organization Management-Delegating
If you inspect closely, you will find that the assignment grants Organization management members like you only delegation rights. This allows you as organization administrator to decide who can run Mailbox Import Export cmdlets. The same applies to Support Diagnostics role.
When you assign the role "Mailbox Import Export", it also grants full access rights to all mailboxes in its scope. Since this can be a security issue, it is not assigned to anyone by default.
The "Support Diagnostics" role grants access to cmdlets and scripts that should only be used under the direction of Microsoft Customer Services and Support.
In order to be able to run cmdlets defined in roles "Mailbox Import Export" and "Support Diagnostics", you need to create new role groups and add the users or groups you want to assign these tasks to, as shown in the following commands:
New-RoleGroup -Name "Exchange Mailbox Import Export" -Roles "Mailbox Import Export" -Members "<domain\groupname>" -DisplayName ""Exchange Mailbox Import Export" -Description "This group will provide access to mailbox import and export cmdlets within entire Exchange Organization." New-RoleGroup -Name "Exchange Support Diagnostics" -Roles "Support Diagnostics" -Members "<domain\groupname>" -DisplayName ""Exchange Support Diagnostics" -Description "This group will provide access to support diagnostics cmdlets within entire Exchange Organization."
After running this, you will notice that two new Universal Security Groups— Exchange Mailbox Import Export and Exchange Support Diagnostics are created in the Microsoft Exchange Security Groups OU in the root domain of the forest. You will also notice the users or groups you specified are added as members. The command also creates a Management Role Assignment "Mailbox Import Export- Exchange Mailbox Import Export". You can verify this by running Get-ManagementRoleAssignment -role "Mailbox Import Export" | ft Identity.
We highly recommend that you restrict the management scope and/or membership to these groups as necessary to comply with your security/administration requirements. The commands above are just examples and should be revised to include appropriate restrictions using scopes as necessary.
To gain better understanding or RBAC, please head over to RBAC and the Triangle of Power and Understanding Role-Based Access Control. Built-n Management Roles and Built-in Role Groups includes details of all default management roles and role groups created by Exchange 2010 setup, including the Mailbox Import Export Role and Support Diagnostics Role discussed in this post.
-- Bhargav Shukla