Share via

Exchange PowerShell Cmdlets - Granting Access for AD Accounts

  • Article

Today I learned something. That Microsoft Exchange PowerShell Permissions is a horrible thing.... a necessary evil if you will.... that didn't have to be done this way... so not as necessary as it needed to be either.

After a suggestion from upper management, I was reading up on Get-MailboxStatistics and noticed the cmdlet parameter/switch that is "-IncludeMoveHistory"

And that seems like such a great feature, being able to view the last X moves of a mailbox.
This setting is dependent on each Exchange Server capable of doing Mailbox Management... In Exchange 2010, you would need to open the file:
C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxReplication.exe.config

And look for MaxMoveHistoryLength which is an attribute of the XML node MRSConfiguration, then you could set it to a higher thing if you wanted.
I've read from sources that patching the Exchange Server to a newer version could reset the value, so be diligent and make note of it in your processes.

But wait, when I was trying to use the Get-MailboxStatistics command through the Exchange Management Shell, it wasn't giving me the "IncludeMoveHistory" as I cycled through all the switches with the TAB button on my keyboard? Trying it would bring up an error message saying the cmdlet parameter is an invalid argument

Well, it turns out the Exchange Management Shell isn't an expert in determining logical fallacies in an argument and correctly declaring an argument invalid..... no no no, this turns out to be an Exchange Permission Issue!!!!!

Wow, so it should be super easy to fix then through a GUI or Active Directory? Nope, you must use PowerShell to define the role/access granted to PowerShell cmdlets.
But it's like super easy and self-explanatory? Nope, but nice try.

You need to already have access to the following commands, otherwise, you won't be able to follow this tutorial of making a "role/permission" to allow access to cmdlets:

  • Get-ManagementRole
  • Get-ManagementRoleEntry
  • Get-RoleGroup
  • New-RoleGroup
  • New-ManagementRole
  • Remove-ManagementRoleEntry
  • Set-ManagementRoleEntry
  • New-ManagementRoleAssignment

Basically, I'm assuming you are a Domain Admin of AD and Exchange... so you will most likely be a member of the AD Group "Organization Management" which from what I can tell is what Exchange considers the Exchange Admin Group.

--Create new AD Microsoft Exchange Security Group (which can be found under AD Users and Computers > Domain > Microsoft Exchange Security Groups)
New-RoleGroup "Mailbox Move History Access"

--Find existing Permission Template
Get-ManagementRole -Cmdlet Get-MailboxStatistics
--We choose "View-Only Recipients"  as it contains cmdlet "Get-MailboxStatistics" as proven with below....
$RoleEntries = Get-ManagementRole "View-Only Recipients"  | Get-ManagementRoleEntry

--Create new Permission Role
New-ManagementRole -Name "MailboxMoveHistory"  -Description "Allows using the -IncludeMoveHistory switch on the Get-MailboxStatistics cmdlet" -Parent "View-Only Recipients"

--Modify Permission Entries in "MailboxMoveHistory"  Role
$mmh = Get-ManagementRole "MailboxMoveHistory"
$mmh | Get-ManagementRoleEntry | Where {$_.Name -ne “Get-MailboxStatistics”} | Remove-ManagementRoleEntry -confirm:$false

--Confirm only one cmdlet Entry remains which is our "Get-MailboxStatistics"
$mmh | Get-ManagementRoleEntry

--Ensure Mailbox History has IncludeMoveHistory and Identity as the only parameters
Set-ManagementRoleEntry -Identity "MailboxMoveHistory\Get-MailboxStatistics" -Parameters Archive,Database,Debug,DomainController,ErrorAction,ErrorVariable,IncludeMoveReport,OutBuffer,OutVariable,Server,Verbose,WarningAction,WarningVariable -RemoveParameter
Set-ManagementRoleEntry -Identity "MailboxMoveHistory\Get-MailboxStatistics" -Parameters Identity -AddParameter
Set-ManagementRoleEntry -Identity "MailboxMoveHistory\Get-MailboxStatistics" -Parameters IncludeMoveHistory -AddParameter

--Assign Role to Created Group "Mailbox Move History Access"
New-ManagementRoleAssignment -SecurityGroup "Mailbox Move History Access"  -Role "MailboxMoveHistory"

--Now in AD Users and Computers, find the Mailbox Move History Access and add memberships of who you want to be able to get the Move History of a Mailbox

--You will now be able to use Exchange Management Shell as the user and use the command Get-MailboxStatistics and be able to find and use the -IncludeMoveHistory switch!
--Optionally you could also create a remote exchange powershell session as well (though you have less features at your disposal and most objects are returned as a string), if you know an Exchange Server to connect to:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://YOUREXCHANGESERVER/PowerShell/ -Authentication Kerberos
Import-PSSession $Session -DisableNameChecking

$stats = (Get-MailboxStatistics -Identity MAILBOXALIAS -IncludeMoveHistory)
$stats.MoveHistory

Remove-PSSession $Session

Some of you may be saying: Well, that's not really that hard... My Response to you is Well, it's harder than it needed to be.