Udostępnij za pośrednictwem


How to create a custom “Recipient Management” group using Exchange 2010 RBAC

My customer wanted to assign the "Recipient Management" group to their helpdesk staff, who are responsible for the creation and management of their Exchange mailboxes. However, they didn't want to give the "Delete" permissions to the helpdesk. This is simple to accomplish using Exchange 2010 and RBAC!

Currently, when the helpdesk use the EMC with the default "Recipient Administrators" role group, they are able to delete user accounts and mailboxes

EMC

This is unacceptable to my customer, who keep their historical mailboxes. We needed to limit the ability to disable and remove mailboxes, without impacting their ability to use the Exchange Management Console. We need to create a custom “Management Role Group” which contains all the functionality of the “Recipient Administrators” group, but without the ability to delete mailboxes.

The first thing to do, was to create a new Management Role Group. As I wanted to base this on the "Recipient Management" role group, I started by copying this group in the Exchange Control Panel

Pic1

I give this group a name, and I edit the description to reflect the purpose of this group. I have added the note that "This is a custom Role Group" , so any future administrators are able to easily see that this has been customised from the default.

Pic2

At the moment, I am not making any changes to Management Roles assigned to this group.

A Management Role Group is a collection of Management Roles. A Management Role is a collection of Management Role Entries. A Management Role Entry is simply a PowerShell command, along with parameters, that is able to run. So, to try to make this as simple as possible, A Management Role (e.g, Mail Recipients) is a collection of all the PowerShell commands that are required to manage Mail Recipients. A Management Role Group is a collection of Management Roles, that can be assigned to user accounts. So by building these groups and roles, we can be extremely granular in the permissions that can be assigned to users.

A Picture may help explain this…

image

Within my "Internal Helpdesk Group", I have 8 Management Roles assigned, which have been copied over from the default "Recipient Management" Role Group.

Pic3

The requirement is to create a group that is able to manage Exchange Recipients, but not allowed to delete them. So I need to see what PowerShell Cmdlets each Management Role grants access to. Unfortunately, there isn't a nice GUI to do this, so its time to fire up the Exchange Management Shell!

I will start by getting the list of Management Roles that are assigned to my "Internal Helpdesk Group" To do this, I can use the rather complicated command Get-RoleGroup -Identity "Internal Helpdesk Group" | Select-Object -expand Roles | Select-Object Name.

If you are using a topology with multiple domains, you may need to add the –DomainController switch to this command, and point it at a domain controller in the domain where the “Microsoft Exchange Security Groups” OU is located.

Pic 4

This formats the roles in a simple to see format, and shows the same information as is in the ECP.

The next step is to look into each Role Group and see what PowerShell Cmdlets (Management Role Entries) are permitted within each group. I will start by looking at "Distribution Groups"

Get-ManagementRole "Distribution Groups" | Get-ManagmentRoleEntry

Pic 5

Most of the commands in this role fit with what I would like to do, however, I would like to remove access to some of the Remove-* and Disable-* commands. To do this, I will need to edit the Management Role.

Best practice states that we should not change any of the built in Management Roles. I will copy this Management Role using the following command

Get-ManagementRole "Distribution Groups" | New-ManagementRole "Distribution Groups No Delete"

Pic 6

As you can see, I have copied this Management Role, and it contains the same Management Role Entries as before.

I want to remove the "Remove-DynamicDistributionGroup","Remove-DistributionGroup" and "Disable-DistributionGroup" entries for my custom group. To do this I will run the following command

Get-ManagementRole "Distribution Groups No Delete" | Get-ManagementRoleEntry | Where {$_.Name -like "Disable-DistributionGroup”} | Remove-ManagementRoleEntry -Whatif

This command breaks down as follows: Get-ManagementRole “Distribution Groups No Delete” | Get-ManagementRoleEntry will return all the Management Role Entries assigned to this Management Role. the Where {$_.name –like “Disable-DistributionGroup”} will filter this down to a single Management Role Entry, which is then passed to the Remove-ManagementRoleEntry to remove the entry.

I have added the "Whatif" parameter on this command so we can be sure we are removing the correct entry. If we are, then we can run this command again without that parameter

Pic 7

I will repeat this for the Remove Cmdlets

Get-ManagementRole "Distribution Groups No Delete" | Get-ManagementRoleEntry | Where {$_.Name -like "Remove-DymanicDistributionGroup"} | Remove-ManagementRoleEntry -Whatif

Get-ManagementRole "Distribution Groups No Delete" | Get-ManagementRoleEntry | Where {$_.Name -like "Remove-DistriubutionGroup"} | Remove-ManagementRoleEntry -Whatif

If you prefer, you could run this command specifying "Remove-*" in the where. This will work, however, not all cmdlets will need to be removed, for instance, you will still want the user to be able to run the "Remove-DistributionGroupMember" cmdlet. I have listed below the cmdlets that should be removed for this example

And now to ensure that this is successful, I will run the Get-ManagementRole "Distribution Groups No Delete" | Get-ManagementRoleEntry command to ensure that the Disable and Remove cmdlets specified have been removed.

Pic 8

That is now complete for the custom Distribution Groups Management Role. We will now repeat the above Process for the remaining Management Roles.

I have had to create custom roles for the following:
  • Mail Enabled Public Folders (Remove access to the "Disable-MailPublicFolder" Command)
  • Mail Recipient Creation (Remove Access to the "Remove-MailContact", "Remove-MailUser", "Remove-Mailbox", "Remove-RemoteMailbox" commands)
  • Mail Recipients (Remove Access to the ""Disable-MailContact", "Disable-MailUser", "Disable-Mailbox", "Disable-RemoteMailbox" Commands)

After completing these steps, we have completed our Management Role customisation. Now we will go into ECP, and assign these new Roles to the custom Management Role Group

First remove the existing roles

Pic 9

And add our new Custom Role

Pic 10

After we have assigned this group to the helpdesk staff, when they log into the EMC, the removal options are unavailable.

Pic 12