Exchange 2010 – Management Tools

  • Article

The largest percentage of helpdesk calls incurred by an organization include DL management, message tracking, changes to personal address book, etc. The annual cost of helpdesk support staff for email for 7500 mailboxes is approx. $20/mailbox according to a Survey from Ferris Research, June 2008.

Our goals with Exchange 2010 are to reduce these cost considerably by introducing new management tools including Exchange Control Panel, a new authorization model based on role with Role Based Access Control (RBAC), and Remote Powershell.

EMC and Exchange Powershell are still major tools for management of Exchange 2010. The Exchange Management Console (EMC) is built on Remote PowerShell (Windows PowerShell V2). EMC also honors all RBAC authorizations made and assigns RBAC roles and Scopes. EMC supports multi-forest and cross-premise support with our on-premise and Online offerings. EMC also supports bulk editing of recipients.

Exchange Control Panel (ECP) is a new browser based management client for end users, admins, and specialists. It’s accessible from URL, OWA, and Outlook 2010. It’s deployed as part of the CAS role and it’s also RBAC aware.

image

ECP is an AJAX-based application and shares some code with OWA but they are two separate applications. It also supports IE, Firefox, and Safari.

ECP honors RBAC permissions and will modify the interface for users to show only functions they have access to. For Example:

  • If the user doesn’t have the ability to do Message tracking it would remove it from ECP.
  • If a user can edit mailboxes but not create new mailboxes then that option is hidden.
  • If an end-user has the rights to change information such as display name but not department than Department is visible but read-only format like below.

image

RBAC. Access is based on what you do not what you have access to. Within the school, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. RBAC is different than ACLs in traditional discretionary access control in that it assigns permissions to specific operations vs. assigning access to low level data objects.

 

image

The RBAC authorization model is centered on the concept of Role Assignment. A role assignment defines exactly who (a user or a group) can do what, and where (what objects) they can do it to.

•This is a far different model from the AD ACL Model which hinged around the Where.

•In the AD ACL Model the focal point was the AD Object, each object has an ACL and the ACL describes both the What and the Who. While this has proven to be an extremely flexible and well accepted model, it present some challenges.

There is no central object that ties a user to the underlying permissions, permissions are defined as the aggregate of all of the objects a user has access to.

RoleGroup and Role Assignment Policy will be RTM features, and are not currently available in the Beta release. RoleAssignment in the Beta is directly from a role to a user or USG.

Custom Management Roles

These roles can be added for specific delegation requirements.

  1. Create the management role
  2. Change the new role's management role entries
    (by removing role entries)
  3. Create a management scope (if required)
  4. Assign the new management role

Some examples:

New-ManagementRole -Name “eDiscovery-Sales” –Parent DiscoveryManagement

New-ManagementScope –Name “Sales Mailboxes” –DomainRestrictionFilter “(RecipientType –eq ‘UserMailbox’)” –DomainRoot “OU=Sales,DC=contoso,DC=Com”

New-ManagementRoleAssignment –Name “RA-Sales eDiscovery Administrators” –User “USG-Sales eDiscovery Admins” -Role “eDiscovery-Sales” –DomainScopeRestriction “Sales Mailboxes

Permission reporting on role delegation.

image

Remote Powershell allows the admin to run commands and cmdlets against remote computers. Exchange 2010 users Remote Powershell for all server access, even the local server. This provides firewall friendly management access.

image

Above shows the process of accessing Exchange through Remote Powershell. A great introduction to Remote Powershell can be reviewed on the Exchange Labs website. https://technet.microsoft.com/en-us/exchangelabshelp/cc546278.aspx 

$UserCredential = Get-Credential

$rs = New-PSSession
-ConfigurationName Microsoft.Exchange
-ConnectionUri
https://<Exchange 2010 servername>/powershell
–Credential $UserCredential

Import-PSSession $RS

One of my colleagues, Jonny Chambers, has done a few blogs on how to navigate through Remote Powershell for some common operations within Outlook Live:

https://liveatedu.spaces.live.com/default.aspx?wa=wsignin1.0&sa=502925703