Creating Custom RBAC for Exchange 2010 Administration

Most Administrators may have found the transition to Role Based Access Control (RBAC) more challenging than expected in Exchange Server 2010.  Trying to use the “Built In” RBAC security groups is nearly impossible as it makes you fit your Admins into a Microsoft mold.  When first looking to create your own RBAC roles, the process may seem nearly impossible.  In this post, I will step you through creating basic RBAC group for members of the Helpdesk.

The first step in modeling permissions for a helpdesk role is deciding what you want the Helpdesk to do for you.  In this example, I have decided that the helpdesk needs the ability to Create/Delete/Modify Users, Groups and contacts.  I don’t want the Helpdesk to have the ability to delete users from the EMC, only disable and I don’t want to give them the ability to move mailboxes or reconnected disconnected mailboxes.  The helpdesk is centralized and needs to have access to all user accounts in the organization.

To start the process you need to find a combination of Built-In Management Roles that can give me all of the permissions needed for the helpdesk.  These happen to be Mail Recipients, Mail Recipient Creation, and Distribution Groups.  I cannot edit (nor would you want to) the Built-In groups so I will need to clone them and give them a new name.  This can be performed in Powershell.

New-ManagementRole -Name “Company_Helpdesk-MailRecipients” -Parent “Mail Recipients”

New-ManagementRole -Name “Company_Helpdesk-MailRecipientCreation” -Parent “Mail Recipient Creation”

 New-ManagementRole -Name “Company_Helpdesk-MailRecipientCreation” -Parent “Distribution Groups”

The naming convention that I am using for the Management Role can be used for all sizes of organizations.  I know that there will be more groups that will need custom permissions and I also should plan for any mergers that may happen in the future.  Company_Team_ManagementRoleCopied easily identifies what the Management Role is for.

Now that you have created the Management Roles, you need to bring them together in a single Role Group.  To create the Role Group in Powershell, perform the following:

New-RoleGroup -Name “AdminExch_Helpdesk” -Roles “Company_Helpdesk-MailRecipients”,”Company_Helpdesk-MailRecipientCreation”,”Company_Helpdesk-DistributionGroups”

The Role Groups are also Universal Security Groups. They can be found in the Microsoft Exchange Security Groups OU in Active Directory.  Here is where you will add in your permissions for the Helpdesk accounts. To Follow a best practice approach, Helpdesk Administrative User accounts should be a member of a security group with a Global scope and then the Global security group should be added as a member to the AdminExch_Helpdesk Universal Security Group.

The last step in the process is to eliminate commands that you do not want the helpdesk to have at their disposal. 

First, I want to query the Role Group so that I have a list of all Role Group Entries that are currently available to the Helpdesk.  The below PowerShell command will do this for us.

Get-ManagementRoleEntry “Company_Helpdesk*\*”

After looking at the list of commands, I write down the ones that I want to remove from the Helpdesk Role.  I remove some roles so that certain tabs no longer appear in the EMC.  After you select the Management Role Entries that you would like to remove, use the following command:

Get-ManagementRoleEntry “Company_Helpdesk*\<Entry to remove>” | Remove-ManagementRoleEntry

You now have created a custom Role Group for your Helpdesk staff that provides the tools that they need in order to perform their job.

Advertisements
This entry was posted in Exchange, Exchange_2010 and tagged , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s