Need correct permissions settings for Exchange 2010 RBAC for Mailbox Creation and UM Enable functionality only.

Hello,

** Exchange 2010 SP1 **

I have created an Administrator Role called "Mailbox and UM User Management".
Assigned the follwing roles:

Distribution Groups
Mail Recipient Creation
UM Mailboxes

Write scope set to Default.

I assigned one member to this Role for testing.

-----------------------------------------------------------------------------------------------------------------

When opening EMS, I am unable to enable a mailbox for an exisiting user. I get the following error when I open powershell and type: Enable-Mailbox

"The term 'Enable-Mailbox' is not recognized as the name of a cmdlet..."

I found by adding the user to the "Exchange Recipient Administrators" allowed me to Mailbox enable a user, BUT

I am still unable to UM enable a user

I need to restrict that users to be able to create mailboxes, UM Enable and manage UM settings.

It seems the permissions/ roles are not correct, or I would be able to run that command. Anyone have this experience and know how to resolve this?
LVL 2
Glenn MSystems Engineer / ManagerAsked:
Who is Participating?
 
Rodney BarnhardtConnect With a Mentor Server AdministratorCommented:
This link should be helpful. If you scroll toward the bottom, the management console will show you what groups have which permissions. This should help you configure your RBAC.

http://www.opsvault.com/securing-ms-exchange-2010-role-based-access-control-rbac-simplified/
0
 
Glenn MSystems Engineer / ManagerAuthor Commented:
Checking out the Article to see if it will tell me more...
0
 
Glenn MConnect With a Mentor Systems Engineer / ManagerAuthor Commented:
That article gave me direciton, but then led me to this solution:

http://eightwone.com/2009/12/08/exchange-2010-delegation-model/

...but, one of the commands give me an error:

Get-ManagementRoleEntry “Reset UM Pin” | where { $_.name –ne “Get-UMMailboxPIN”} | Remove-ManagementRoleEntry

Powershell returns:

[PS] C:\Windows\system32>Get-ManagementRoleEntry "Reset UM Pin" | where { $_.name -ne "Get-UMMailboxPIN"} | Remove-ManagementRoleEntry
Cannot process argument transformation on parameter 'Identity'. Cannot convert value "Reset UM Pin" to type "Microsoft.
Exchange.Configuration.Tasks.RoleEntryIdParameter". Error: "The format of the value you specified in the Microsoft.Exch
ange.Configuration.Tasks.RoleEntryIdParameter parameter isn't valid. Check the value, and then try again.
Parameter name: identity"
    + CategoryInfo          : InvalidData: (:) [Get-ManagementRoleEntry], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-ManagementRoleEntry


I don’t think this is the expected behavior. Can you offer assistance?
0
 
Glenn MSystems Engineer / ManagerAuthor Commented:
withthe combinded information, I was able to find a solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.