How to Use PowerShell to Delegate Minimum Permissions for Exchange to Create Mailboxes
FIM ScriptBox Item
Summary
This script shows how to delegate minimum permissions for Exchange to create mailboxes.
Script Code
| 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 |
# this script must be run from an Exchange 2010 PS session [String]$aDMAAccountName = "svcfimadma"; # create a new management role based on the existing Recipient Administrators role New-ManagementRole ` -Name UpdateRecipientAccess ` -Parent "Mail Recipients"; # Remove all cmdlets from this role except Update-Recipient Get-ManagementRoleEntry ` -Identity UpdateRecipientAccess\* | ? { $_.Name -ne 'Update-Recipient' } | Remove-ManagementRoleEntry –Confirm:$false; # Create a new role group (AD DS SG) and add the AD MA account as the only member. New-RoleGroup ` -Name "Update-Recipient-Access" ` -Roles UpdateRecipientAccess ` -DisplayName "Recipient Update Service Invocation" ` -Description "Members of this role group can use the Update-Recipient cmdlet to invoke the Recipient Update Service (RUS)" ` -Members $aDMAAccountName; |
Note
To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.