Remove-mailbox

Remove-mailbox cmdlet will remove a user account from Active Directory. How to prevent it from happening?

Which default role defines the Remove-mailbox cmdlet?

Get-ManagementRoleEntry "*\Remove-Mailbox" | ft Role

Role
----
Mail Recipient Creation

Only "Mail Recipient Creation" Role defines the Remove-Mailbox cmdlet.

Who is assigned the "Mail Recipient Creation" role?

Get-ManagementRoleAssignment -Role "Mail Recipient Creation" -Delegating $false | FL Name,RoleAssigneeName,EffectiveUserName

Name : Mail Recipient Creation-Organization Management
RoleAssigneeName : Organization Management
EffectiveUserName : All Group Members

Name : Mail Recipient Creation-Recipient Management
RoleAssigneeName : Recipient Management
EffectiveUserName : All Group Members

By default, "Organization Management" and "Recipient Management" Role Groups are assigned "Mail Recipient Creation" role.

Get-ManagementRoleAssignment -Role "Mail Recipient Creation" -Delegating $true | FL Name,RoleAssigneeName,EffectiveUserName

Name : Mail Recipient Creation-Organization Management-Delegating
RoleAssigneeName : Organization Management
EffectiveUserName : All Group Members

Get-RoleGroup "Organization Management" | fl Name,members

Name : Organization Management
Members : {lab.com/Users/Administrator}

Get-RoleGroup "Recipient Management" | fl Name,members

Name : Recipient Management
Members : {}

Add-RoleGroupMember -id "Organization Management" -Member Jim.Patterson@lab.com
Get-RoleGroup "Organization Management" | fl Name,members

Name : Organization Management
Members : {lab.com/test/Jim Patterson, lab.com/Users/Administrator}

The following cmdlet will remove all the "Mail Recipient Creation" role assignments.

Get-ManagementRoleAssignment -Role "Mail Recipient Creation" -Delegating $false | Remove-ManagementRoleAssignment

Get-ManagementRoleAssignment -Role "Mail Recipient Creation" | fl name,RoleAssigneeName

Name : Mail Recipient Creation-Organization Management-Delegating
RoleAssigneeName : Organization Management

Only the member of Organization Management security group can run Remove-Mailbox cmdlet.

The Administrator cannot run Remove-Mailbox cmdlet. But the Administrator can grant the cmdlet to itself.

The following cmdlet will enable the member of Organization Management group to use Remove-Mailbox cmdlet.

New-ManagementRoleAssignment -Role "Mail Recipient Creation" -SecurityGroup "Organization Management"