Hello,
Fazal Muhammad Khan has made an excellent series of videos showing and explaining the different features and enhancements in Active Directory on Windows Server 2012!
We continue with Part 3 : Group Managed Service Accounts
Enjoy!
All the videos:
http://blogs.technet.com/b/nepapfe/archive/2013/11/08/windows-2012-active-directory-domain-services-videos.aspx
http://blogs.technet.com/b/nepapfe/archive/2014/02/05/windows-2012-active-directory-domain-services-videos-2.aspx
Fazal Muhammad Khan from NEPA PFE team.
Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2010/2013. With RBAC, you don't need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way.
RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. In Exchange 2010/2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.
In this Blog I’ll walk you through the creation of a custom Role Group “Admin1” that has to perform the tasks below
Admin1
Recipient Management
View only of the overall Organization
Messages tracking
Databases switchover Management
Mailbox Import Export
Procedure
Create 2 Management Roles for “Admin1” to make them:
Mount/Dismount databases
Update/Suspend/resume databases copies
Check databases copies status
Switchover/Failover databases
a. Create a Management Role that has the same permission as the “Database Copies” management Role with the following command
b. Remove the management Role entries that are not required for Admin1 Group with the commad below
c. Repeat STEP-B until you remove all the unnecessary commands
d. Check the entries that you left in the Management Role with the following command
Note: Make sure you left only the list shown below:
e. Create a Management Role that has the same permission as the “Databases” Management Role with the following command
New-ManagementRole –Name “Admin1_Databases” –Parent “Databases”
f. Remove the management Role entries that are not required for Admin1 Group with the commad below
Get-ManagementRoleEntry “Admin1_Databases\Cmdlet” | Remove-managementRoleEntry
Note: “Cmdlet” is the powershell command to remove
g. Repeat Above until you remove all the unnecessary commands as shown below
2. Grant “Admin1” the "View-Only Configuration" role permissions with the command below
New-ManagementRoleAssignment -Role "View-Only Configuration" -SecurityGroup Admin1
3. Create a management Role that has the same permission as the “Organization Configuration” Management Role with the following command
New-ManagementRole "Admin1_Organization Configuration" -Parent "Organization Configuration"
a. Remove the management Role entries that are not required for Admin1 Group with the commad below
Get-ManagementRoleEntry “Admin1_Organization Configuration\Cmdlet” | Remove-managementRoleEntry
b. Repeat above until you remove all the unnecessary commands as shown below
c. To Grant the “Admin1” Group the management role "Admin1_Organization Configuration" run the command below
New-managementRoleAssignment –Role "Admin1_Organization Configuration"–SecurityGroup “Admin1”
4. Create a management role that has the same permission as "Message Tracking" Role with the following command
Get-ManagementRoleEntry “Admin1_ Message Tracking\Cmdlet” | Remove-managementRoleEntry
b. To Grant the “Admin1” Group the management role "Admin1_Message Tracking" run the command below
New-managementRoleAssignment –Role "Admin1_ Message Tracking"–SecurityGroup “Admin1”
5. Create a management role that has the same permission as "Recipient Policies" Role with the following command
New-ManagementRole "Admin1_Recipient Policies" -Parent "Recipient Policies"
a. Remove the management Role entries that are not required for Admin1 Group with the commad below:
Get-ManagementRoleEntry "Admin1_Recipient Policies\Set-ThrottlingPolicy" | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "Admin1_Recipient Policies\Set-ActiveSyncMailboxPolicy" | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "Admin1_Recipient Policies\Set-HybridConfiguration" | Remove-ManagementRoleEntry
b. Create a new RoleGroup "Admin1_Recipient Management", granted the permissions to create/manage recipients and add “Admin1” Group as member "Admin1_Message Tracking" with the command below
6. Grant “Admin1” the ""Support Diagnostics" Role permissions with the command below
New-ManagementRoleAssignment -Role "Support Diagnostics" -SecurityGroup admin1
7. To Grant the “Admin1” Group the right to perform Mailbox Import Export run the command below
8. Create a management role that has the same permission as “Exchange Server Certificates" Role with the following command
New-ManagementRole "Admin1_Exchange Server Certificates" -Parent "Exchange Server Certificates"
Get-ManagementRoleEntry "Admin1_Exchange Server Certificates\Cmdlet” | Remove-managementRoleEntry
b. To Grant the “Admin1” Group the management role "Admin1_Exchange Server Certificates" run the command below
New-ManagementRoleAssignment -Role "Admin1_Exchange Server Certificates" -SecurityGroup Admin1
9. From the ECP, add the Management Roles “Admin1_Database_Copies” and “Admin1_Databases” to the Role Group “Admin1”
Ghazi Boufaden from NEPA PFE team.