Archive for April, 2013

RBAC – How to control Management Mailbox access

April 26, 2013 2 comments

We had requirement to enable RBAC permission model where we can assign few selective exchange Administrators to access higher management mailbox (Security Concern :))

To achieve this goal, I am going through to explain you step by step.

1. Create two Distribution Group

  • B7_Supporters – This group consists members those are allowed to access management mailbox
  • B7_User – This group consists management mailboxes

Note : Make sure group type is “security” and Scope is “Universal”


2. Now, I will create a “New-ManagementScope” that includes the group of restricted managment users. Management Scopes are used to define who or what the permission should apply to, this could be OU, Security Groups, Servers or Databases, I will be using here security group above

New-ManagementScope -Name “B7_MGMTScope” -RecipientRestrictionFilter {MemberofGroup -eq “cn=B7_Users, ou=Groups,dc=Contoso,dc=com”} -exclusive

3. Once you have created new Management Scope, Assign an management role for the Exchange administrators those are only allowed to mailboxes, In this example I am going to add Mail Recipients management role, but you can add any “Management Role”. You use role assignment to assign permissions

Note : You can use cmdlet “Get- ManagementRole” and choose you suite to your requirement

New-ManagementRoleAssignment -Name “B7_MGMT_Role” -Role “Mail Recipients” -SecurityGroup ” B7_Supporters ” -ExclusiveRecipientWriteScope “B7_MGMTScope”

Now you are done, Exchange admins those are member of distribution Group “B7_Supporter” would be able to manage mailbox of VIP users, BUT they can only perform operation which is available in Management Role “Mail recipient” (Permission which suite to Service desk folks)

What about, If supporter are trying to move mailboxes or want to perform Import/Export request. Yes, you can create few more Management Role Assignment with other Management Role. In below I would like my exchange admins should be able to move mailboxes too , To do so I will be running below cmdlet.

New-ManagementRoleAssignment -Name “B7_MGMT_Role_MoveMBX” -Role “Move Mailboxes” -SecurityGroup ” B7_Supporters ” -ExclusiveRecipientWriteScope “B7_MGMTScope”

Now perform few test and you are done it !!!!!! 🙂 Enjoy

Categories: Exchange 2010

Cool Exchange Blog sites

I Just came across one link on The Exchange Team Blog, where you can hit all famous blogger site. Lots of them I have already covered in my site Blog role 🙂 !!

Enjoy Reading !!!

Exchange Blogs Sites

A Pictorial view of Voice Routing in Lync Server

Slide taken from TechEd 2012 🙂 !!!


Exchange 2010 SP3 Managment Tools on Windows 8 X64

Exchange 2010 SP3 Management Tools on Windows 8 X64 is allowed. Microsoft is working on to update supportability matrix.

The Next Question comes about prerequisite to install admin tool. Yes, I Just moved without it and got below screen


Need to install IIS component below

  • IIS 6 Managment Compatibility
  • IIS Metabase and IIS 6 Configuration Compatibility


Just start setup from elevated mode and hit install.


You are done now !!

Categories: Exchange 2010