Home > Exchange 2010 > RBAC – How to control Management Mailbox access

RBAC – How to control Management Mailbox access

We had requirement to enable RBAC permission model where we can assign few selective exchange Administrators to access higher management mailbox (Security Concern :))

To achieve this goal, I am going through to explain you step by step.

1. Create two Distribution Group

  • B7_Supporters – This group consists members those are allowed to access management mailbox
  • B7_User – This group consists management mailboxes

Note : Make sure group type is “security” and Scope is “Universal”

1

2. Now, I will create a “New-ManagementScope” that includes the group of restricted managment users. Management Scopes are used to define who or what the permission should apply to, this could be OU, Security Groups, Servers or Databases, I will be using here security group above

New-ManagementScope -Name “B7_MGMTScope” -RecipientRestrictionFilter {MemberofGroup -eq “cn=B7_Users, ou=Groups,dc=Contoso,dc=com”} -exclusive

3. Once you have created new Management Scope, Assign an management role for the Exchange administrators those are only allowed to mailboxes, In this example I am going to add Mail Recipients management role, but you can add any “Management Role”. You use role assignment to assign permissions

Note : You can use cmdlet “Get- ManagementRole” and choose you suite to your requirement

New-ManagementRoleAssignment -Name “B7_MGMT_Role” -Role “Mail Recipients” -SecurityGroup ” B7_Supporters ” -ExclusiveRecipientWriteScope “B7_MGMTScope”

Now you are done, Exchange admins those are member of distribution Group “B7_Supporter” would be able to manage mailbox of VIP users, BUT they can only perform operation which is available in Management Role “Mail recipient” (Permission which suite to Service desk folks)

What about, If supporter are trying to move mailboxes or want to perform Import/Export request. Yes, you can create few more Management Role Assignment with other Management Role. In below I would like my exchange admins should be able to move mailboxes too , To do so I will be running below cmdlet.

New-ManagementRoleAssignment -Name “B7_MGMT_Role_MoveMBX” -Role “Move Mailboxes” -SecurityGroup ” B7_Supporters ” -ExclusiveRecipientWriteScope “B7_MGMTScope”

Now perform few test and you are done it !!!!!! 🙂 Enjoy

Advertisements
Categories: Exchange 2010
  1. August 2, 2013 at 1:37 pm

    I absolutely love your website.. Pleasant colors & theme.
    Did you create this web site yourself? Please reply back as I’m looking to create my own site and want to find out where you got this from or exactly what the theme is called. Kudos!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: