.: Enow Solutions Engine: Granting Granular Administrative Permissions in Exchange 2010

By ESE Contributing Author Hans Willi Kremer

Exchange 2010 provides a role-based administration architecture, and consequently permissions can be granted on a very granular level. Built-In groups are available, but a question that might arise in your organization is, How can I grant permissions to a Help Desk colleague so that s/he is only able to modify the SMTP address of a user? What tasks must I perform in Exchange 2010 to accomplish this? To answer these questions, I would like to share with you the below example which demonstrates a very unique requirement and its solution.

The example is based on Exchange 2010 RC with a help-desk user called Garry

1. Create a new management role, wich is derived from role „Mail Recipients" New-ManagementRole -Parent "Mail Recipients" -Name "MgmtRole SMTP Modifcation"The object is stored in "/Configuration/Schema/ms-Exch-Role"

Note: Remove roleRemove-ManagementRole "MgmtRole SMTP Modifcation" -confirm:$False

2. Check which cmdlets are allowed in this roleGet-ManagementRoleEntry "MgmtRole SMTP Modifcation\*" Format-List

3. Remove all RoleEntries from this role except „Set-Mailbox" Get-ManagementRoleEntry "MgmtRole SMTP Modifcation\*" Where-Object {$_.identity -ne "MgmtRole SMTP Modifcation\Set-Mailbox"} Remove-ManagementRoleEntry -confirm:$False

4. Check if all cmdlets in this role are removed except „Set-Mailbox" – additionally check the paramertersGet-ManagementRoleEntry "MgmtRole SMTP Modifcation\*" Format-List

5. Remove all parametersSet-ManagementRoleEntry "MgmtRole SMTP Modifcation\Set-Mailbox" -Parameters $Null

6. Check, which parameters of cmdlet „Set-Mailbox" are allowed in this role(Get-ManagementRoleEntry "MgmtRole SMTP Modifcation\Set-Mailbox").Parameters

7. Add the parameters which can be used by members of role group when they execute cmdlet Set-Mailbox Set-ManagementRoleEntry "MgmtRole SMTP Modifcation\Set-Mailbox" -Parameters Identity, PrimarySMTPAddress, EmailAddresses -AddParameterHinweis: Entfernen eines ParametersSet-ManagementRoleEntry "MgmtRole SMTP Modifcation\Set-Mailbox" -Parameters Identity -RemoveParameter

8. Check that only granted parameters of cmdlet can be used(Get-ManagementRoleEntry "MgmtRole SMTP Modifcation\Set-Mailbox").Parameters

9. Create a new role group and link it with roles and membersNew-RoleGroup -Name "MgmtRoleGroup SMTP Modifcation" -Roles "MgmtRole SMTP Modifcation" -Members Garry

10. Link a user with a rolegroupAdd-RoleGroupMember "View-Only Organization Management" -Member Garry

Note: removemember from rolegroupremove-RoleGroupMember "View-Only Organization Management" -Member Garry

11. Note: behind the scene a linkobject MgmtRole SMTP Modifcation-MgmtRoleGroup SMTP Modifcation" has been created to link the rolegroup with the role.Get-ManagementRoleAssignment -Role "MgmtRole SMTP Modifcation" fl identityremove-ManagementRoleAssignment "MgmtRole SMTP Modifcation-MgmtRoleGroup SMTP Modifcation"

12. Final test: user Garry executes these cmdlets to try if he can modify some attributes of user be01 in domain xchg10.com

Set-Mailbox be01@xchg10.com -alias "bbbb"expected result: A positional parameter cannot be found that accepts argument '-alias'.

Set-Mailbox be01@xchg10.com -CustomAttribute1 "Text"expected result: A positional parameter cannot be found that accepts argument . .

Granting Granular Administrative Permissions in Exchange 2010

0 Comments: