Need correct permissions settings for Exchange 2010 RBAC for Mailbox Creation and UM Enable functionality only.


** Exchange 2010 SP1 **

I have created an Administrator Role called "Mailbox and UM User Management".
Assigned the follwing roles:

Distribution Groups
Mail Recipient Creation
UM Mailboxes

Write scope set to Default.

I assigned one member to this Role for testing.


When opening EMS, I am unable to enable a mailbox for an exisiting user. I get the following error when I open powershell and type: Enable-Mailbox

"The term 'Enable-Mailbox' is not recognized as the name of a cmdlet..."

I found by adding the user to the "Exchange Recipient Administrators" allowed me to Mailbox enable a user, BUT

I am still unable to UM enable a user

I need to restrict that users to be able to create mailboxes, UM Enable and manage UM settings.

It seems the permissions/ roles are not correct, or I would be able to run that command. Anyone have this experience and know how to resolve this?
Glenn MSystems Engineer / ManagerAsked:
Who is Participating?
Rodney BarnhardtConnect With a Mentor Server AdministratorCommented:
This link should be helpful. If you scroll toward the bottom, the management console will show you what groups have which permissions. This should help you configure your RBAC.
Glenn MSystems Engineer / ManagerAuthor Commented:
Checking out the Article to see if it will tell me more...
Glenn MConnect With a Mentor Systems Engineer / ManagerAuthor Commented:
That article gave me direciton, but then led me to this solution:

...but, one of the commands give me an error:

Get-ManagementRoleEntry “Reset UM Pin” | where { $ –ne “Get-UMMailboxPIN”} | Remove-ManagementRoleEntry

Powershell returns:

[PS] C:\Windows\system32>Get-ManagementRoleEntry "Reset UM Pin" | where { $ -ne "Get-UMMailboxPIN"} | Remove-ManagementRoleEntry
Cannot process argument transformation on parameter 'Identity'. Cannot convert value "Reset UM Pin" to type "Microsoft.
Exchange.Configuration.Tasks.RoleEntryIdParameter". Error: "The format of the value you specified in the Microsoft.Exch
ange.Configuration.Tasks.RoleEntryIdParameter parameter isn't valid. Check the value, and then try again.
Parameter name: identity"
    + CategoryInfo          : InvalidData: (:) [Get-ManagementRoleEntry], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-ManagementRoleEntry

I don’t think this is the expected behavior. Can you offer assistance?
Glenn MSystems Engineer / ManagerAuthor Commented:
withthe combinded information, I was able to find a solution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.