Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1807
  • Last Modified:

Need correct permissions settings for Exchange 2010 RBAC for Mailbox Creation and UM Enable functionality only.

Hello,

** Exchange 2010 SP1 **

I have created an Administrator Role called "Mailbox and UM User Management".
Assigned the follwing roles:

Distribution Groups
Mail Recipient Creation
UM Mailboxes

Write scope set to Default.

I assigned one member to this Role for testing.

-----------------------------------------------------------------------------------------------------------------

When opening EMS, I am unable to enable a mailbox for an exisiting user. I get the following error when I open powershell and type: Enable-Mailbox

"The term 'Enable-Mailbox' is not recognized as the name of a cmdlet..."

I found by adding the user to the "Exchange Recipient Administrators" allowed me to Mailbox enable a user, BUT

I am still unable to UM enable a user

I need to restrict that users to be able to create mailboxes, UM Enable and manage UM settings.

It seems the permissions/ roles are not correct, or I would be able to run that command. Anyone have this experience and know how to resolve this?
0
Glenn M
Asked:
Glenn M
  • 3
2 Solutions
 
Rodney BarnhardtServer AdministratorCommented:
This link should be helpful. If you scroll toward the bottom, the management console will show you what groups have which permissions. This should help you configure your RBAC.

http://www.opsvault.com/securing-ms-exchange-2010-role-based-access-control-rbac-simplified/
0
 
Glenn MSystems Engineer / ManagerAuthor Commented:
Checking out the Article to see if it will tell me more...
0
 
Glenn MSystems Engineer / ManagerAuthor Commented:
That article gave me direciton, but then led me to this solution:

http://eightwone.com/2009/12/08/exchange-2010-delegation-model/

...but, one of the commands give me an error:

Get-ManagementRoleEntry “Reset UM Pin” | where { $_.name –ne “Get-UMMailboxPIN”} | Remove-ManagementRoleEntry

Powershell returns:

[PS] C:\Windows\system32>Get-ManagementRoleEntry "Reset UM Pin" | where { $_.name -ne "Get-UMMailboxPIN"} | Remove-ManagementRoleEntry
Cannot process argument transformation on parameter 'Identity'. Cannot convert value "Reset UM Pin" to type "Microsoft.
Exchange.Configuration.Tasks.RoleEntryIdParameter". Error: "The format of the value you specified in the Microsoft.Exch
ange.Configuration.Tasks.RoleEntryIdParameter parameter isn't valid. Check the value, and then try again.
Parameter name: identity"
    + CategoryInfo          : InvalidData: (:) [Get-ManagementRoleEntry], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-ManagementRoleEntry


I don’t think this is the expected behavior. Can you offer assistance?
0
 
Glenn MSystems Engineer / ManagerAuthor Commented:
withthe combinded information, I was able to find a solution.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now