Share via


Dumping the RBAC Hierarchy

One of the things I noticed between RTM and SP1 for Exchange 2010 is the changes made to the RBAC environment, specifically the introduction of many new parameters on individual role entries (cmdlets associated with a role).  Using the shell to manage this can be difficult, which is why I posted a link back in May 2010 to a spreadsheet I created that depicted the RBAC components in a pivot table. 

Rather than giving out fish, it's time to share the code.  You'll likely want a mechanism for not only evaluating the changes between versions, but also a way to determine what exactly has been delegated in your own environments.  Here's the code I used to build that raw data.  Take the CSV formatted data, bring it into Excel and use it for your own pivot table.

$DC = "[Domain Controller Name]"

Foreach ($RG in Get-RoleGroup -DomainController $DC){

# write-output $RG.Name

Foreach ($AR in (Get-RoleGroup "$RG" -DomainController $DC).Roles){

# write-output $AR.Name

Foreach ($RE in Get-ManagementRoleEntry "$AR\*" -DomainController $DC){

$cmdlet = $RE.Name
foreach ($P in (Get-ManagementRoleEntry "$AR\$cmdlet" -DomainController $DC).Parameters) {

write-output $RG','$RE','$cmdlet','$P
$Count+=1

}

}

}

}

write-host "Total Processed: $Count"