Create a Custom Admin Role for Exchange using RBAC

  • Article

Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2010/2013. With RBAC, you don't need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way.

RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. In Exchange 2010/2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.

In this Blog I’ll walk you through the creation of a custom Role Group “Admin1” that has to perform the tasks below

Admin1

Recipient Management

  • Create Mailboxes
  • Create Distribution Lists
  • Create contacts
  • move mailboxes

View only of the overall Organization

Messages tracking

Databases switchover Management

  • Mount/Dismount databases
  • Update/Suspend/resume databases copies
  • Check databases copies status
  • Switchover/Failover databases

Mailbox Import Export

Procedure

  1. Create 2 Management Roles for “Admin1” to make them:

  • Mount/Dismount databases

  • Update/Suspend/resume databases copies

  • Check databases copies status

  • Switchover/Failover databases

     

a. Create a Management Role that has the same permission as the “Database Copies” management Role with the following command

New-ManagementRole –Name “Admin1_Database_Copies” –Parent “Database Copies” 

b. Remove the management Role entries that are not required for Admin1 Group with the commad below

Get-ManagementRoleEntry “Admin1_Database_Copies\Cmdlet” | Remove-managementRoleEntryNote: “Cmdlet” is the powershell command to remove

c. Repeat STEP-B until you remove all the unnecessary commands

d. Check the entries that you left in the Management Role with the following command

Get-ManagementRole “Admin1_Database_Copies” | Get-managementRoleEntry

Note: Make sure you left only the list shown below:

 

e. Create a Management Role that has the same permission as the “Databases” Management Role with the following command

New-ManagementRole –Name “Admin1_Databases” –Parent “Databases”

f. Remove the management Role entries that are not required for Admin1 Group with the commad below 

Get-ManagementRoleEntry “Admin1_Databases\Cmdlet” | Remove-managementRoleEntry

Note: “Cmdlet” is the powershell command to remove

g. Repeat Above until you remove all the unnecessary commands as shown below

 

2. Grant “Admin1” the "View-Only Configuration" role permissions with the command below

 

New-ManagementRoleAssignment -Role "View-Only Configuration" -SecurityGroup Admin1

3. Create a management Role that has the same permission as the “Organization Configuration” Management Role with the following command

New-ManagementRole "Admin1_Organization Configuration" -Parent "Organization Configuration"

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

Get-ManagementRoleEntry “Admin1_Organization Configuration\Cmdlet” | Remove-managementRoleEntry

Note: “Cmdlet” is the powershell command to remove

b. Repeat above until you remove all the unnecessary commands as shown below

 

c. To Grant the “Admin1” Group the management role "Admin1_Organization Configuration" run the command below

 

New-managementRoleAssignment –Role "Admin1_Organization Configuration"–SecurityGroup “Admin1”

 

4. Create a management role that has the same permission as "Message Tracking" Role with the following command

 

New-ManagementRole "Admin_Message Tracking" -Parent "Message Tracking"

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

 

Get-ManagementRoleEntry “Admin1_ Message Tracking\Cmdlet” | Remove-managementRoleEntry

Note: “Cmdlet” is the powershell command to remove

b. To Grant the “Admin1” Group the management role "Admin1_Message Tracking" run the command below

    

New-managementRoleAssignment –Role "Admin1_ Message Tracking"–SecurityGroup “Admin1”

5. Create a management role that has the same permission as "Recipient Policies" Role with the following command

 

New-ManagementRole "Admin1_Recipient Policies" -Parent "Recipient Policies"

 

a. Remove the management Role entries that are not required for Admin1 Group with the commad below:

 

Get-ManagementRoleEntry "Admin1_Recipient Policies\Set-ThrottlingPolicy" | Remove-ManagementRoleEntry

Get-ManagementRoleEntry "Admin1_Recipient Policies\Set-ActiveSyncMailboxPolicy" | Remove-ManagementRoleEntry

Get-ManagementRoleEntry "Admin1_Recipient Policies\Set-HybridConfiguration" | Remove-ManagementRoleEntry

Note: “Cmdlet” is the powershell command to remove

 

b. Create a new RoleGroup "Admin1_Recipient Management", granted the permissions to create/manage recipients and add “Admin1” Group as member "Admin1_Message Tracking" with the command below

 

New-RoleGroup "Admin1_Recipient Management" -Roles "Distribution Groups","Mail Enabled Public Folders","Mail Recipient Creation","Mail Recipients","Migration","Move Mailboxes","Admin1_Recipient Policies" -Members Admin1

6. Grant “Admin1” the ""Support Diagnostics" Role permissions with the command below

 

New-ManagementRoleAssignment -Role "Support Diagnostics" -SecurityGroup admin1

7. To Grant the “Admin1” Group the right to perform Mailbox Import Export run the command below

 

New-managementRoleAssignment –Role “Mailbox Import Export” –SecurityGroup “Admin1”

8. Create a management role that has the same permission as “Exchange Server Certificates" Role with the following command

 

New-ManagementRole "Admin1_Exchange Server Certificates" -Parent "Exchange Server Certificates"

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

 

Get-ManagementRoleEntry "Admin1_Exchange Server Certificates\Cmdlet” | Remove-managementRoleEntry

Note: “Cmdlet” is the powershell command to remove

 

b. To Grant the “Admin1” Group the management role "Admin1_Exchange Server Certificates" run the command below

 

New-ManagementRoleAssignment -Role "Admin1_Exchange Server Certificates" -SecurityGroup Admin1

9. From the ECP, add the Management Roles “Admin1_Database_Copies” and “Admin1_Databases” to the Role Group “Admin1

 

Ghazi Boufaden from NEPA PFE team.