Role-Based Permissions
There are two types of roles, administrative roles and end-user roles:
Administrative roles
Using role groups that
manage a part of the Exchange organization, such as recipients, servers, or
databases. It is for Administrators or Specialist users
End-user roles
Using role assignment
policies that enable users to manage aspects of their own mailbox and
distribution groups that they own. End-user roles begin with the prefix My.
Administrative Roles
Create a new role 'Kaiming Help Desk' that inherits all the permissions of 'Mail Recipients' build-in role.
New-ManagementRole -Name 'Kaiming Help Desk' -Parent 'Mail Recipients'
"Mail Recipients' role includes many permissions. 'Kaiming Help Desk' role will only have the 'Get-Mailbox' cmdlet permission.
Get-ManagementRoleEntry -Identity "Kaiming Help Desk\*" | Where {$_.Name -ne 'Get-Mailbox'} | Remove-ManagementRoleEntry -Confirm:$false
Add cmdlets to "Kaiming Help Desk" Role
Add-ManagementRoleEntry "Kaiming Help
Desk\Set-Mailbox" -Parameters
Identity,DisplayName,SimpleDisplayName
Add-ManagementRoleEntry "Kaiming Help
Desk\Get-User"
Add-ManagementRoleEntry "Kaiming Help Desk\Set-User"
-Parameters
Identity,FirstName,LastName,Initials,Office,Phone,MobilePhone,Department,Manager
Get-ManagementRoleEnty "Kaiming Help Desk\*"
Define a custom scope
Creates the Test scope. Only mailboxes located within the Test OU in the Lab.com domain match the server restriction filter
New-ManagementScope -Name "Test OU"
-RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} -RecipientRoot
"Lab.com/Test"
Creates the Calgary scope. Only mailboxes located within the Calgary OU in the Lab.com domain match the server restriction filter
New-ManagementScope -Name "Calgary OU" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} -RecipientRoot "Lab.com/Calgary OU"
Create a scope based on membership of ExecutiveGroup
New-ManagementScope -Name "Executives"
-RecipientRestrictionFilter {MemberofGroup -eq
"CN=ExecutiveGroup,OU=Test,DC=LAB,DC=COM"}
Create a Role Group
New-RoleGroup "Kaiming Group2"
Create Management Role Assignment with OU Scope
New-ManagementRoleAssignment -securityGroup "Kaiming Group2" -Role "Kaiming Help Desk" -CustomRecipientWriteScope "Calgary OU"
To modify the ManagementRoleAssignment scope:
Set-ManagementRoleAssignment -Identity "Kaiming Help Desk-Kaiming Group2" -CustomRecipientWriteScope "Test OU"
The cmdlet: New-RoleGroup can include that SecurityGroup creation,its membership assignment, and management scope assignment.
New-RoleGroup "Kaiming Group" -Roles "Kaiming Help Desk" -Members "RKing@Lab.com" -CustomRecipientWriteScope "Test OU"
Get-ManagementRoleAssignment "Kaiming *" | fl RoleAssigneeName,
*Scope*,*role*
RoleAssigneeName : Kaiming Group
CustomRecipientWriteScope : Calgary
OU
CustomConfigWriteScope :
RecipientReadScope :
Organization
ConfigReadScope : OrganizationConfig
RecipientWriteScope :
CustomRecipientScope
ConfigWriteScope :
OrganizationConfig
RoleAssigneeType : RoleGroup
RoleAssignee :
lab.com/Microsoft Exchange Security Groups/Kaiming Group
Role : Kaiming Help Desk
RoleAssignmentDelegationType
: Regular
RoleAssigneeName : Kaiming Group
RoleAssigneeName : Kaiming
Group2
CustomRecipientWriteScope : Test OU
CustomConfigWriteScope
:
RecipientReadScope : Organization
ConfigReadScope :
OrganizationConfig
RecipientWriteScope :
CustomRecipientScope
ConfigWriteScope :
OrganizationConfig
RoleAssigneeType : RoleGroup
RoleAssignee :
lab.com/Microsoft Exchange Security Groups/Kaiming Group2
Role : Kaiming Help Desk
RoleAssignmentDelegationType
: Regular
RoleAssigneeName : Kaiming Group2
Create a RoleGroup "Help Desk Level 2" with three roles assigned (Message Tracking, Mail Recipients, Move Mailboxes)
New-RoleGroup "Help Desk Level 2" -Roles "Message Tracking","Mail Recipients","Move Mailboxes" -Members "RKing@lab.com",'JSmith@lab.com' -ManagedBy 'Administrator@lab.com' -Description "Level 2 Tech Support"
The above one cmdlet will create three role assignments:Message Tracking-Help Desk Level 2, Mail Recipients-Help Desk Level 2, and Move Mailboxes-Help Desk Level 2.
Get-ManagementRoleAssignment "*-Help Desk Level 2" | fl Name,Role,
RoleAssigneeName, EffectiveUserName
Name : Message Tracking-Help Desk Level 2
Role : Message
Tracking
RoleAssigneeName : Help Desk Level 2
EffectiveUserName : All
Group Members
Name : Mail Recipients-Help Desk Level 2
Role : Mail
Recipients
RoleAssigneeName : Help Desk Level 2
EffectiveUserName : All
Group Members
Name : Move Mailboxes-Help Desk Level 2
Role : Move
Mailboxes
RoleAssigneeName : Help Desk Level 2
EffectiveUserName : All
Group Members
Naming convention
Role assignments Name
Role Name-Role Group
Role entry Name
Role Name\cmdlet
Get-ManagementRoleEntry "*\Remove-Mailbox" | fl Name,Role
Name : Remove-Mailbox
Role : Mail Recipient Creation
Get-ManagementRoleEntry "Move Mailboxes\*"
Get-ManagementRoleEntry "*\Set-mailbox" | ft role
Role
----
Audit Logs
Disaster Recovery
Legal Hold
Mail
Recipients
Retention Management
UM Mailboxes
User
Options
MyBaseOptions
MyProfileInformation
MyDisplayName
Custom
Helpdesk-Mail Recipients
Kaiming Help Desk
Get-ManagementRole -Cmdlet Set-User -CmdletParameters MobilePhone | Get-ManagementRoleAssignment -GetEffectiveUsers -Delegating $false | FT Role,RoleAssigneeName,EffectiveUserName
Open EMS as Rudy King
set-user "Rob Newman" -MobilePhone "888-999-0000"
get-user "Rob Newman" |
fl Name, MobilePhone
Name : Rob Newman
MobilePhone : 888-999-0000
Rudy King can modify its own mobilephone attribute as well as others' because
Rudy King is a member of Help Desk Level 2 role group, which is assigned the
Set-User cmdlet.
Open EMS as Rob Newman
User "Rob Newman does not have the permissions to modify other users' mobilephone attribute. The "All Group Member" means that by default all users can modify their own mobilephone attribute and not others'.
Who can use Set-User cmdlet to update others' Mobile Phone Number?
Get-ManagementRole -Cmdlet Set-User -CmdletParameters MobilePhone | Get-ManagementRoleAssignment -GetEffectiveUsers -Delegating $false | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | FT Role,RoleAssigneeName,EffectiveUserName
Get-ManagementRole -Cmdlet Set-User -CmdletParameters MobilePhone | Get-ManagementRoleAssignment -GetEffectiveUsers -Delegating $true | Where-Object {$_.EffectiveUserName -ne "All Group Members"} | FT Role,RoleAssigneeName,EffectiveUserName
When -Delegating parameter is set to $True, the Effective User can delegate the access permission to other users.
Understanding scope
Even though new-rolegroup cmdlet has the scope, the scope is actually applied through New-ManagementRoleAssignment cmdlet.
New-RoleGroup "Help Desk Level 3" -RecipientOrganizationalUnitScope "Lab.com/Calgary OU" -Roles "Mail Recipients","Message Tracking"
Two Management Role Assignments are created: "Mail Recipients-Help Desk Level
3" and " Message Tracking-Help Desk Level 3"
To change the
RecipientOrganizationalUnitScope, you have to use Set-ManagementRoleAssignment
cmdlet. The Set-RoleGroup cmdlet cannot accomplish the scope modification.
Set-ManagementRoleAssignment "Mail Recipients-Help Desk
Level 3" -RecipientOrganizationalUnitScope "Lab.com/test"
A member of Help Desk Level 3 group can manage recipients of Lab.Com/test organizational unit and do the "Message Tracking" task of Lab.Com/Calgary OU organizational unit.
After a management scope is created, you can re-use it through CustomRecipientWriteScope parameter
New-ManagementScope -Name "Test OU" -RecipientRestrictionFilter
{RecipientType -eq "UserMailbox"} -RecipientRoot
"Lab.com/Test"
New-ManagementScope -Name "Calgary OU"
-RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} -RecipientRoot
"Lab.com/Calgary OU"
New-ManagementScope -Name "Executives"
-RecipientRestrictionFilter {MemberofGroup -eq
"CN=ExecutiveGroup,OU=Test,DC=LAB,DC=COM"}
Set-ManagementRoleAssignment "Mail Recipients-Help Desk Level 3"
-CustomRecipientWriteScope "Calgary OU"
Set-ManagementRoleAssignment "Mail
Recipients-Help Desk Level 3" -CustomRecipientWriteScope "Executives"
New-ManagementScope "TelusDatabase" -DatabaseList
TelusDatabase
WARNING: Database management scopes will only be applied
when a user connects to a server running at least Exchange 2010 SP1. Servers
running Exchange 2010 RTM won't apply any roles from a role assignment linked to
a database scope. Database management scopes also won't be visible to the
Get-ManagementScope cmdlet when it's run from an Exchange 2010
RTM
server.
Special Roles
Members of Organization Management group do not have the following roles assigned. But the members of Organization Management Group can delegate these roles to themselves to gain the cmdlets.
ApplicationImpersonation
Mailbox Import Export
Mailbox
Search
Support Diagnostics
Unscoped Role Management
To gain the cmdlet "Mailbox Import Export", the administrator can assign itself the role.
New-ManagementRoleAssignment -Role "Mailbox Import Export" -User 'Administrator@lab.com'
Get-ManagementRoleAssignment "Mailbox Import Export*" | ft name
Name
----
Mailbox Import Export-Administrator
Mailbox Import
Export-Organization Management-Delegating
New-MailboxImportRequest and New-MailboxExportRequest cmdlets are available.
Remove-ManagementRoleAssignment "Mailbox Import Export-Administrator"
It is better to assign the role to security group.
New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup "Organization Management"
Get-ManagementRoleAssignment "Mailbox Import Export*" | ft name
Name
----
Mailbox Import Export-Organization Management
Mailbox Import Export-Organization
Management-Delegating
The Mailbox Import Export-Organization Management-Delegating assignment can delegate permissions.
Unscoped Roles
Assign the special role "Unscoped Role Management" to Organization Management group
New-ManagementRoleAssignment -Role "Unscoped Role Management" -SecurityGroup "Organization Management"
Close EMS and Re-open EMS
Assuming you create a script MyDel.ps1 that includes non-Exchange cmdlets. Pay attention to NON-EXCHANGE cmdlets.
Save the MyDel.ps1 script to C:\Program Files\Microsoft\Exchange Server\V14\RemoteScripts directory.
New-ManagementRole -Name 'MyScript'
-UnScopedTopLevel
Add-ManagementRoleEntry 'Report Database Sizes\MyDel.ps1'
-Type script -UnScopedTopLevel
Get-RoleGroup | Where-Object {$_.members -eq "Scott
Culp"}
Get-ManagementRoleAssignment | Where-Object {$_.Name -like "*-Scott
Culp"}
New-ManagementRoleAssignment -Role "MyScript" -User "Scott
Culp"
Get-ManagementRoleAssignment | Where-Object {$_.Name -like "*-Scott
Culp"}
After Scott Culp can run the MyDel.ps1 script, the c:\ex.ldf and c:\mailbox.html are deleted.
Who have the write permission on recipient "John Smith"?
Get-ManagementRoleAssignment -WritableRecipient "John
Smith" -GetEffectiveUsers | Where-Object{$_.EffectiveUsername -ne 'All
Group members'} | FT EffectiveUserName >user.txt
get-content .\user.txt | Sort-Object | Get-Unique
-----------------
Administrator
EffectiveUserName
Jim
Patterson
John Smith
Rudy King
Who have the write permission on a Server Object?
Get-ManagementRoleAssignment -WritableServer "Ex1" -GetEffectiveUsers
Who have the write permission on a Database?
Get-ManagementRoleAssignment -WritableDatabase "vanarts"
Assignment Policies
Each mailbox has only one management role assignment policy assigned.
Get-Mailbox "Scott Culp" | fl Role*
RoleAssignmentPolicy : Default Role Assignment
Policy
What roles are assigned to "Default Role Assignment Policy"?
Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" |
FL Name,Role
Name : MyBaseOptions-Default Role Assignment Policy
Role :
MyBaseOptions
Name : MyContactInformation-Default Role Assignment Policy
Role :
MyContactInformation
Name : MyVoiceMail-Default Role Assignment Policy
Role : MyVoiceMail
Name : MyTextMessaging-Default Role Assignment Policy
Role :
MyTextMessaging
Name : MyDistributionGroupMembership-Default Role Assignment Policy
Role :
MyDistributionGroupMembership
New-RoleAssignmentPolicy -Name "Kaiming Policy"
You cannot assign "Mail Recipients" role to end-user policy.
How to create a custom END-User management role?
You must create it from a built-in role.
New-ManagementRole -Name "KaimingDistributionGroup" -Parent MyDistributionGroups
New-ManagementRoleAssignment -Role "KaimingDistributionGroup" -Policy
"Kaiming Policy"
New-ManagementRoleAssignment -Role "myBaseOptions" -Policy
"Kaiming Policy"
New-ManagementRoleAssignment -Role "myBaseOptions" -Policy "Kaiming Policy"
Controlling role assignment
Users' ability is cumulative. There is no priority in the cmdlets.
The easiest method to control administrative roles and end-user roles is through ECP.
For example,
https://ex1.lab.com/ecp