250 Hello

Random Musings on Exchange and Virtualization

Creating RBAC Role To Delegate Contact Management

Creating RBAC Role To Delegate Contact Management

  • Comments 28
  • Likes

Update 21-11-2013: If you want the additional contact fields to be edited then please review this post

I had an interesting question the other week about solving a business challenge a customer had with regards to delegating the creation of contact objects in Active Directory.  In their previous messaging system users were managing their own external distribution groups, adding and removing external people, and they wanted to do the same in Exchange 2010.

A default Exchange 2010 installation does not grant these capabilities by default, so we have to do a little configuration.  Role Based Access Control (RBAC) was introduced by Microsoft in Exchange 2010 and is used to control access to the messaging environment.

I thought that this would be worth sharing so that the solution is published and the logic of creating the custom RBAC role is discussed.

 

Building Blocks

We will need to permit:

  • Management of Distribution Groups in Active Directory
  • Creation and management of Mail Enabled Contacts in Active Directory
  • Management toolset to manage the above

Management of Distribution Groups

Exchange 2010 does not allow a user to manage groups that they own by default.  All of the necessary plumbing is present, you just have to enable the feature.  This is explained in detail here.  Couple of things to note:

  • Groups cannot manage groups in Exchange 2010, this feature has returned in Exchange 2013 CU1. There is a workaround for Exchange 2010
  • Make sure the mailboxes and the DGs are in the same GAL

As noted above to manage groups that they own, assign MyDistributionGroups to the appropriate Role Assignment Policy.  In the below example the Default Role Assignment Policy was changed to enable this.  Note that this will allow users to also create new Distribution Groups, so I’ll cover that in a separate blog.  Also you may not want to change the Default Role Assignment Policy in your environment.  You can have multiple Role Assignment Policies and different groups of mailboxes can have a Role Assignment Policy that maps to their business needs.

Exchange 2010 Default Role Assignment Policy Edited To Enable MyDistributionGroups

Well that’s the easy part done !

So let’s create a RBAC Role, and for the purposes of this test do a direct role assignment to one user account, though this can easily be a group and would be the recommended methodology.

Creation & Management of Mail Enabled Contacts in Active Directory

End users cannot create contacts in AD by default, but we can change the default RBAC to allow this.  The trick is to assign just the minimum permissions possible.  RBAC is aware of the permissions that have been assigned to a person, and will change the display to reflect the assigned permissions.  If you do not have access to do something, then you will not see that option.

Where to start?  We need to know which role contains the cmdlet that we want to leverage.  In this case we want the New-MailContact cmdlet, and to see in which roles it is present we can use Get-ManagementRole and the –Cmdlet parameter

Get-ManagementRole -Cmdlet New-MailContact

Exchange 2010 RBAC - Checking Which Role(s) Contain Necessary cmdlet

We can see that the Mail Recipient Creation contains the cmdlet that we need.  It also contains a bunch of other cmdlets that would grant too many capabilities.  A full listing is shown below for reference.

Get-ManagementRoleEntry –Identity “Mail Recipient Creation\*”

Exchange 2010 RBAC - Management Role Entries Contained in Mail Recipient Creation Management Role

The built-in roles are read only and cannot be changed, so we cannot remove any cmdlets from them.  What we can, and will do, is to create a writable copy and make the necessary changes to our copied Management Role. 

 

To create a new role called AD-Contact-Editors based off the built-in “Mail Recipient Creation”

New-ManagementRole –Name AD-Contact-Editors –Parent “Mail Recipient Creation”

Exchange 2010 RBAC -  Creating New Management Role

Right now, our newly created AD-Contact-Editors role is a mirror copy of the original parent role.  Thus it has all the cmdlets and parameters the parent has.  Now we need to strip all of the unwanted cmdlets from our new role. Ultimately we want to leave in the bare minimum.  

You could strip each cmdlet out one at a time.  For this exercise it will be easier to remove all but one and then add a couple back in.  We cannot remove all of the role entries, which is why we leave one behind.  Let’s leave just Get-MailContact in the role.  To remove the role entries, we shall pass the unwanted cmdlets through to Remove-ManagementRoleEntry.  So all cmdlets that are not Get-MailContact will be removed.

Exchange 2010 RBAC -  Removing Unwanted Management Role Entries

Top Tip:

Always check the objects that are returned prior to piping to the remove cmdlet.

So in this case we would run

Get-ManagementRoleEntry  -Identity AD-Contact-Editors\* | Where-Object {$_.Name -ne 'Get-MailContact'}

Only when we are happy with what is returned should we run:

Get-ManagementRoleEntry  -Identity AD-Contact-Editors\* | Where-Object {$_.Name -ne 'Get-MailContact'} | Remove-ManagementRoleEntry

If we check to see what’s now in the AD-Contact-Editors Management Role, it only contains the Get-MailContact cmdlet.

Get-ManagementRoleEntry –Identity AD-Contact-Editors\*

Exchange 2010 RBAC -  Checking Current Management Role Entries

Let’s add back New-MailContact using New-ManagementRoleEntry

Add-ManagementRoleEntry –Identity “AD-Contact-Editors\New-MailContact”

Exchange 2010 RBAC -  Adding Required Management Role Entries Back In

If we try and test this in ECP, we only have the capabilities to manage ourselves at this point so we need to add a couple more cmdlets back in.  We need to add

  • Remove-MailContact
  • Get-Recipient
  • Set-Recipient

Add-ManagementRoleEntry –Identity “AD-Contact-Editors\Remove-MailContact”

Add-ManagementRoleEntry –Identity “AD-Contact-Editors\Get-Recipient”

 

This should give you a management role that looks like this:

Get-ManagementRoleEntry “AD-Contact-Editors”

Exchange 2010 RBAC -  Checking Required Management Role Entries

In case you are wondering why we have not added Set-MailContact to our custom role, there is a very good reason.  Custom Management Roles can only contain cmdlets and parameters that exist in their parent role.  If you check out the original contents of the custom role there is no Set-MailContact cmdlet in it, thus we can never add it to this role.  

Assign the new role to a user.  User-10 will our fluffy and cute guinea pig.

New-ManagementRoleAssignment -Role AD-Contact-Editors -User User-10

Exchange 2010 RBAC -  Assigning Custom Management Role Directly To Mailbox

To check that the Management Role was correctly assigned, we could run:

Get-ManagementRoleAssignment -Role AD-Contact-Editors

Time to test!

Testing & Validation

Probably the most important portion is testing and validation, and is often overlooked.

Test, test and test like you mean it Smile

You can allow your end users to use PowerShell to manage create and edit the contacts, though I suspect the admin assistant that wants to use PowerShell will be few and far between….

Chances are they will like the nice graphical ECP interface, so let’s focus on that.

 

Bellow is what our test user (user-10) sees in ECP.  Note this is the manage my org view.  All they can see is the External Contacts tab.

Exchange 2010 ECP Showing User Editing Contacts

In their Groups ECP view they see:

Exchange 2010 ECP Showing User Editing Groups

And they can add the contacts to the DG

Exchange 2010 ECP User Editing Editing Distribution Group

Outlook also will show the correct directory information.  This is how Outlook 2010 sees the DG:

Outlook 2010 Showing Same Directory Information

Conclusion

RBAC in Exchange 2010 allows for a lot of great customisation to the default built-in roles.  For many customers the default roles will work fine, and if not they can be easily customised.

For the users that you grant these permissions they will be able to manage/edit/delete all the contacts in the organisation.

 

This blog shows the basic framework for editing and customising RBAC.  By following the same process of identifying the role you need to work with, copying it and then customising the copied role you can provide a tailored solution to meet your organisation’s needs.

This will allow for the a basic mail enabled contact to be created.  If you want the additional contact fields to be edited then please see this post.

Cheers,

Rhoderick

 

 

Can You Help Us?  -- Yes !

If you would like to have Microsoft Premier Field Engineering (PFE) visit your company and assist with the topic(s) presented in this blog post, then please contact your Microsoft Premier Technical Account Manager (TAM) for more information on scheduling and our varied offerings!

If you are not currently benefiting from Microsoft Premier support and you’d like more information about Premier, please email the appropriate contact below, and tell them you how you got introduced!

US

Canada

For all other areas please use the US contact point.





Comments
  • Could add more points on get - windows features

  • Hi Guowen - was this the blog you intended to comment on?  

    Get-window feature does not "feature" here at all.

    cheers,

    Rhoderick

  • Dude your the man!!! This helped me alot

  • Well after testing that I can only -

    1. I can only create a contact

    2. I cannot add a phone # to it

    3. I cannot go back to edit it

    what other permissions do I need to add to be able to do this, looks like I 'm almost there.

  • Hi Marc,

    I'll bet that this is due to that Set-MailContact is not within the ManagementRoleEntry

    Add that badboy back in and let us know how you get on please.  That was not what the customer who asked for this originally wanted, but we should be able to accommodate your request too :)

    Cheers,

    Rhoderick

  • I tried to add it back in but I get this error -

    [PS] C:\Windows\system32>Add-ManagementRoleEntry -Identity "AD-Contact-Editors\Set-Recipient"

    The "Set-Recipient" management role entry wasn't found on the "Mail Recipient Creation" management role. Make sure you

    typed it correctly, and try again

       + CategoryInfo          : NotSpecified: (0:Int32) [Add-ManagementRoleEntry], ManagementObjectNotFoundException

       + FullyQualifiedErrorId : 3961CEC7,Microsoft.Exchange.Management.RbacTasks.AddManagementRoleEntry

  • I tried Set-MailContact it errored out the same way

  • Hey marc, That would be expected as it is not in the parent role, there should be a note in the above about that.  I thought you had a separate role assignment with that.  

    let me grab the exact syntax for you

    cheers,

    Rhoderick

  • Marc - this post will go live tomorrow morning just after 09:00 EST

    blogs.technet.com/.../creating-rbac-role-to-delegate-editing-contacts.aspx

    Try that out and let me know how you get on please!

    Cheers,

    Rhoderick

  • Marc - did that work for you?

  • Hi, any chance the user can modify the contact? he can add or delete, but not modify.
    thanks
    Yuan

  • Yuan, did you read this one? http://blogs.technet.com/b/rmilne/archive/2013/11/21/creating-rbac-role-to-delegate-editing-contacts.aspx.

    cheers,
    Rhoderick

  • thanks, it worked

  • Groovy!

    Do let me know if there are other good RBAC scenarios that you need covered.

    Cheers,
    Rhoderick

  • Hi Rhoderick,

    Must say nice blog... but I do have a different scenario here. I want to create a RBAC role for a set of users where they should have permissions to run cmdlets but only for specific cmdlets. For example if I say they should be able to run 2-3 specific cmdlets through EMS to do the changes. Is there any way to configure RBAC where we can allow specific cmdlets and restrict others. Please suggest.

    Thanks in advance!!!!

    Cheers,
    Abi

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Post Comment Fixer