Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2010/2013. With RBAC, you don't need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way.
RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. In Exchange 2010/2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.
In this Blog I’ll walk you through the creation of a custom Role Group “Admin1” that has to perform the tasks below
|
Admin1 |
Recipient Management
|
|
View only of the overall Organization |
|
|
Messages tracking |
|
|
Databases switchover Management
|
|
|
Mailbox Import Export |
Procedure
-
Create 2 Management Roles for “Admin1” to make them:
-
Mount/Dismount databases
-
Update/Suspend/resume databases copies
-
Check databases copies status
-
Switchover/Failover databases
a. Create a Management Role that has the same permission as the “Database Copies” management Role with the following command
| New-ManagementRole –Name “Admin1_Database_Copies” –Parent “Database Copies” |
b. Remove the management Role entries that are not required for Admin1 Group with the commad below
| Get-ManagementRoleEntry “Admin1_Database_Copies\Cmdlet” | Remove-managementRoleEntry Note: “Cmdlet” is the powershell command to remove |
c. Repeat STEP-B until you remove all the unnecessary commands
d. Check the entries that you left in the Management Role with the following command
| Get-ManagementRole “Admin1_Database_Copies” | Get-managementRoleEntry |
Note: Make sure you left only the list shown below:
e. Create a Management Role that has the same permission as the “Databases” Management Role with the following command
|
New-ManagementRole –Name “Admin1_Databases” –Parent “Databases” |
f. Remove the management Role entries that are not required for Admin1 Group with the commad below
|
Get-ManagementRoleEntry “Admin1_Databases\Cmdlet” | Remove-managementRoleEntry Note: “Cmdlet” is the powershell command to remove |
g. Repeat Above until you remove all the unnecessary commands as shown below
2. Grant “Admin1” the "View-Only Configuration" role permissions with the command below
|
New-ManagementRoleAssignment -Role "View-Only Configuration" -SecurityGroup Admin1 |
3. Create a management Role that has the same permission as the “Organization Configuration” Management Role with the following command
|
New-ManagementRole "Admin1_Organization Configuration" -Parent "Organization Configuration" |
a. Remove the management Role entries that are not required for Admin1 Group with the commad below
|
Get-ManagementRoleEntry “Admin1_Organization Configuration\Cmdlet” | Remove-managementRoleEntry Note: “Cmdlet” is the powershell command to remove |
b. Repeat above until you remove all the unnecessary commands as shown below
c. To Grant the “Admin1” Group the management role "Admin1_Organization Configuration" run the command below
|
New-managementRoleAssignment –Role "Admin1_Organization Configuration"–SecurityGroup “Admin1” |
4. Create a management role that has the same permission as "Message Tracking" Role with the following command
| New-ManagementRole "Admin_Message Tracking" -Parent "Message Tracking" |
a. Remove the management Role entries that are not required for Admin1 Group with the commad below
|
Get-ManagementRoleEntry “Admin1_ Message Tracking\Cmdlet” | Remove-managementRoleEntry Note: “Cmdlet” is the powershell command to remove |
b. To Grant the “Admin1” Group the management role "Admin1_Message Tracking" run the command below
|
New-managementRoleAssignment –Role "Admin1_ Message Tracking"–SecurityGroup “Admin1” |
5. Create a management role that has the same permission as "Recipient Policies" Role with the following command
|
New-ManagementRole "Admin1_Recipient Policies" -Parent "Recipient Policies" |
a. Remove the management Role entries that are not required for Admin1 Group with the commad below:
|
Get-ManagementRoleEntry "Admin1_Recipient Policies\Set-ThrottlingPolicy" | Remove-ManagementRoleEntry Get-ManagementRoleEntry "Admin1_Recipient Policies\Set-ActiveSyncMailboxPolicy" | Remove-ManagementRoleEntry Get-ManagementRoleEntry "Admin1_Recipient Policies\Set-HybridConfiguration" | Remove-ManagementRoleEntry Note: “Cmdlet” is the powershell command to remove |
b. Create a new RoleGroup "Admin1_Recipient Management", granted the permissions to create/manage recipients and add “Admin1” Group as member "Admin1_Message Tracking" with the command below
| New-RoleGroup "Admin1_Recipient Management" -Roles "Distribution Groups","Mail Enabled Public Folders","Mail Recipient Creation","Mail Recipients","Migration","Move Mailboxes","Admin1_Recipient Policies" -Members Admin1 |
6. Grant “Admin1” the ""Support Diagnostics" Role permissions with the command below
|
New-ManagementRoleAssignment -Role "Support Diagnostics" -SecurityGroup admin1 |
7. To Grant the “Admin1” Group the right to perform Mailbox Import Export run the command below
| New-managementRoleAssignment –Role “Mailbox Import Export” –SecurityGroup “Admin1” |
8. Create a management role that has the same permission as “Exchange Server Certificates" Role with the following command
|
New-ManagementRole "Admin1_Exchange Server Certificates" -Parent "Exchange Server Certificates" |
a. Remove the management Role entries that are not required for Admin1 Group with the commad below
|
Get-ManagementRoleEntry "Admin1_Exchange Server Certificates\Cmdlet” | Remove-managementRoleEntry Note: “Cmdlet” is the powershell command to remove |
b. To Grant the “Admin1” Group the management role "Admin1_Exchange Server Certificates" run the command below
|
New-ManagementRoleAssignment -Role "Admin1_Exchange Server Certificates" -SecurityGroup Admin1 |
9. From the ECP, add the Management Roles “Admin1_Database_Copies” and “Admin1_Databases” to the Role Group “Admin1”
 |
 |
 |
Ghazi Boufaden from NEPA PFE team.