Solved

Need correct permissions settings for Exchange 2010 RBAC for Mailbox Creation and UM Enable functionality only.

Posted on 2011-02-22
4
1,785 Views
Last Modified: 2012-05-11
Hello,

** Exchange 2010 SP1 **

I have created an Administrator Role called "Mailbox and UM User Management".
Assigned the follwing roles:

Distribution Groups
Mail Recipient Creation
UM Mailboxes

Write scope set to Default.

I assigned one member to this Role for testing.

-----------------------------------------------------------------------------------------------------------------

When opening EMS, I am unable to enable a mailbox for an exisiting user. I get the following error when I open powershell and type: Enable-Mailbox

"The term 'Enable-Mailbox' is not recognized as the name of a cmdlet..."

I found by adding the user to the "Exchange Recipient Administrators" allowed me to Mailbox enable a user, BUT

I am still unable to UM enable a user

I need to restrict that users to be able to create mailboxes, UM Enable and manage UM settings.

It seems the permissions/ roles are not correct, or I would be able to run that command. Anyone have this experience and know how to resolve this?
0
Comment
Question by:Glenn M
  • 3
4 Comments
 
LVL 32

Accepted Solution

by:
Rodney Barnhardt earned 500 total points
ID: 34955598
This link should be helpful. If you scroll toward the bottom, the management console will show you what groups have which permissions. This should help you configure your RBAC.

http://www.opsvault.com/securing-ms-exchange-2010-role-based-access-control-rbac-simplified/
0
 
LVL 1

Author Comment

by:Glenn M
ID: 34997700
Checking out the Article to see if it will tell me more...
0
 
LVL 1

Assisted Solution

by:Glenn M
Glenn M earned 0 total points
ID: 35193988
That article gave me direciton, but then led me to this solution:

http://eightwone.com/2009/12/08/exchange-2010-delegation-model/

...but, one of the commands give me an error:

Get-ManagementRoleEntry “Reset UM Pin” | where { $_.name –ne “Get-UMMailboxPIN”} | Remove-ManagementRoleEntry

Powershell returns:

[PS] C:\Windows\system32>Get-ManagementRoleEntry "Reset UM Pin" | where { $_.name -ne "Get-UMMailboxPIN"} | Remove-ManagementRoleEntry
Cannot process argument transformation on parameter 'Identity'. Cannot convert value "Reset UM Pin" to type "Microsoft.
Exchange.Configuration.Tasks.RoleEntryIdParameter". Error: "The format of the value you specified in the Microsoft.Exch
ange.Configuration.Tasks.RoleEntryIdParameter parameter isn't valid. Check the value, and then try again.
Parameter name: identity"
    + CategoryInfo          : InvalidData: (:) [Get-ManagementRoleEntry], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-ManagementRoleEntry


I don’t think this is the expected behavior. Can you offer assistance?
0
 
LVL 1

Author Closing Comment

by:Glenn M
ID: 35230068
withthe combinded information, I was able to find a solution.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question