How to Customize RBAC Permissions for “HelpDesk” in Exchange 2010
Role Based Access Control is an Amazing feature in Exchange 2010 , where we can provide a set of permissions to a User and we can customize it widely
Am not going to Explain deep in RBAC , but we can learn how to customize the default role groups
My Default there are 11 Role Groups
http://careexchange.in/wp-content/uploads/2012/06/image_thumb.png
One of an Best Example is assigning permission to use Discovery Search
http://careexchange.in/deleting-a-specific-email-from-entire-organization-in-exchange-2010-2/
By Default, Administrator is a member of Organization Management , where he gets all the permission .
But if we want to Remove some permission for Helpdesk Admins to do some task , We can customize it.
First Initially , We have to decide what all the permission we got to provide to the Help Desk admin
And what all permission permission we got to remove for the HelpDesk admin
Get-Managementrole will list all the Roles available
http://careexchange.in/wp-content/uploads/2012/06/image_thumb1.png
Lets say Help Desk Engineer Can Create Distribution Groups , Can Create Mailboxes ,Distribution Groups, They Can manage them
But they should not have permissions to remove them or Disable them
Go through the Management Roles listed , We can Find Mail Recipient Creation , Distribution Groups , Mail Recipients Role ,
To Know the ability of a role, you Can run
Get-ManagmentRole “Mail Recipient Creation” | fl Description
Get-ManagmentRole “Distribution Groups” | fl Description
Get-ManagmentRole “Mail Recipients” | fl Description
http://careexchange.in/wp-content/uploads/2012/06/image_thumb2.png
http://careexchange.in/wp-content/uploads/2012/06/image_thumb3.png
Where We can assign these Management Roles to a Custom Role Group and assign to a Help Desk Engineer , But the problem is they will have the ability to Remove Mailboxes , Remove Distribution Groups as well
So we got to remove those abilities for them ,befor assigning to them
Now we have to find what alll Role Entries (Commands) we have to remove from them , To find what all the commands inside the Management role
You can run
Get-ManagementRoleEntry “Mail Recipient creation\” | FT -Autosize
Get-ManagementRoleEntry “Distribution Groups\” | FT -Autosize
Get-ManagementRoleEntry “Mail Recipients\” | FT -Autosize
http://careexchange.in/wp-content/uploads/2012/06/image_thumb4.png
So i Dont want to Touch the Default Roles , and which is not Recommended too
So first will Create a Copy of the roles and Remove the Commands from the the copy which i have created
New-ManagementRole -Parent "Mail Recipients" -Name "Copy of Mail Recipients"
New-ManagementRole -Parent "Mail Recipient Creation" -Name "Copy of Mail Recipient Creation"
New-ManagementRole -Parent "Distribution Groups" -Name "Copy of Distribution Groups"
Now I have a Copy of it Created
http://careexchange.in/wp-content/uploads/2012/06/image_thumb5.png
Going through the Commands , I found some Potentially risky commands like “Remove-Mailbox , Remove –Distribution Group” where we got to remove from them
Get-ManagementRoleEntry “Copy of Mail Recipient creation\” | FT -Autosize
Get-ManagementRoleEntry “Copy of Distribution Groups\” | FT -Autosize
Get-ManagementRoleEntry “Copy of Mail Recipients\” | FT –Autosize
Removing Commands from the Copy of the Roles which we created
Removing Potential Commands from — Copy of Mail Recipient Creation
Remove-ManagementRoleEntry "Copy of Mail Recipient Creation\Remove-Mailbox" –Confirm:$false
Remove-ManagementRoleEntry "Copy of Mail Recipient Creation\Remove-MailUser" –Confirm:$false
Remove-ManagementRoleEntry "Copy of Mail Recipient Creation\Remove-MailContact" –Confirm:$false
http://careexchange.in/wp-content/uploads/2012/06/image_thumb6.png
http://careexchange.in/wp-content/uploads/2012/06/image_thumb7.png
Removing Potential Commands from — Copy of Mail Recipients
Remove-ManagementRoleEntry "Copy of Mail Recipients\disable-Mailbox" –Confirm:$false
Remove-ManagementRoleEntry "Copy of Mail Recipients\disable-MailUser" –Confirm:$false
Remove-ManagementRoleEntry "Copy of Mail Recipients\disable-MailContact" –Confirm:$false
http://careexchange.in/wp-content/uploads/2012/06/image_thumb8.png
Removing Potential Commands from — Copy of Distribution Groups
Remove-ManagementRoleEntry "Copy of Distribution Groups\Remove-Distributiongroup" –Confirm:$false
Remove-ManagementRoleEntry "Copy of Distribution Groups\disable-Distributiongroup" –Confirm:$false
http://careexchange.in/wp-content/uploads/2012/06/image_thumb9.png
Now we are creating a Custom Role Group
New-RoleGroup -Name "Role Group for Help Desk" –Roles “Copy of Mail Recipients","Copy of Mail Recipient Creation","Copy of Distribution Groups"
http://careexchange.in/wp-content/uploads/2012/06/image_thumb10.png
Now am Adding a Member(Help Desk Engr) to the Role Group
Add-RoleGroupMember "Role Group for Help Desk" -Member Helpdesk
http://careexchange.in/wp-content/uploads/2012/06/image_thumb11.png
Refer the below link to add users it bulk :
http://technet.microsoft.com/en-us/library/dd638207
–
Now Logging into the Server as “Helpdesk”
Making sure is a Domain Admin as well , So log into the server
http://careexchange.in/wp-content/uploads/2012/06/image_thumb12.png
Now you can See Console Looks Different for them
http://careexchange.in/wp-content/uploads/2012/06/image_thumb13.png
Now you can see – Disable and Remove option disappeared
http://careexchange.in/wp-content/uploads/2012/06/image_thumb14.png
Great !! Role Bases Access Control is ready for the Help Desk
Regards
Satheshwaran Manoharan