RBAC – How To implement Exchange 2003 Admin Group model

say that in Exchange 2010 via RBAC you are trying to implement the Admin Group
permission model used in Exchange 2003, where you typically had Admin Groups
split up based on AD Sites (geographical location).


for example Each Admin Group had delegated rights to a specific User or
Security Group, so each Exchange Admin would only be able to manage their own
Admin Groups and the servers in the respective Admin Groups.


with Exchange 2007 we only have 1 Admin Group Exchange Administrative Group
(FYDIBOHF23SPDLT) where all Exchange 2007 and 2010 Servers are


Exchange 2010 via RBAC you can accomplish a similar permission model:


1)      Create a new Management Scope
restricted to only the servers in a specific AD Site.

New-ManagementScope -Name
"scope_server_siteA" - ServerRestrictionFilter “(Serversite -eq ’DN
of Default-First-Site-Name’)"

2)      Afterwards create a new Role Group
and assign the necessary roles:

–Name “Admins_SiteA_RoleGroup” -Roles “Exchange Servers", "Exchange
Virtual Directories", "Transport Queues", "Exchange
Connectors", "Exchange Server Certificates",
"Databases", "Monitoring", "POP3 And IMAP4
Protocols", "Database Copies", "Receive Connectors" –
CustomConfigWriteScope " scope_server_siteA "

3)      Create new security group for Admins
via ADUC  named "SiteA_Admins_USG";

4)      Make Group " SiteA_Admins_USG
" member of new Role Group " Admins_SiteA " with

Add-RoleGroupMember "
Admins_SiteA_RoleGroup" -Member "SiteA_Admins_USG"




Comments (2)

  1. Jeff25 says:

    Very Useful – thank you!

  2. veeneet Joshi says:

    Helped me a lot..Thanks for the post

Skip to main content