Exchange 2010 Server management role for sub-domains

Posted on 2012-08-23
Last Modified: 2012-08-24
How do I grant a user or group of users Server Management role access to just their sub-domain servers?  

I cannot grant them rights at the parent domain as this would grant them rights over our other sub & top-level domain Exchange servers.
Question by:TSTechNA
    LVL 23

    Accepted Solution

    LVL 23

    Assisted Solution

    by:Stelian Stan
    LVL 1

    Expert Comment

    E2K10 uses RBAC. There are pre-defined roles, with the ability to get pretty granular.

    Here are the roles:

    sounds like you are talking about this one:


    vic rozumny

    Author Comment

    Clonyxlro - the second post/link you posted is what I am trying to accomplish - I'm not well versed in Exchange PowerShell, so please forgive what may seem silly questions. In that link no one responded to the OP, so I am not sure if that is correct usage or not. Can you verify this?

    Thank you both for the posts - the links are useful, but I'm still trying to wrap my head around the proper way to do this.

    Editing this to add that I have created a subdomain scope & role group as in the second link, however I receive the following error for every Role when attempting to connect them together:

    The scope restriction type "<All of them received errors>" on the management scope "<our custom name>" isn't valid for the recipient write restriction.
    LVL 23

    Expert Comment

    by:Stelian Stan
    Unfortunately I don't have access to my test environment to confirm that but for a better understanding of roles have a look at Mshiyas Bolg:

    A really good video about implementing RBAC:;

    More on this topic:

    Hope that helps.
    LVL 23

    Expert Comment

    by:Stelian Stan
    I think this is your case:

    but is in german. The english would be:

    The big problem of an Exchange installation is that all changes always affect the entire Forest. When installing the Exchange System Administrator in a subdomain of this subdomain has the ability to make changes for the entire Exchange organization.

    Since Exchange 2010, there are the so-called Role-Based Access Control (RBAC) . This can restrict the permissions of the Exchange administrator of subdomains, which are explained below:

    The What

    The members of our AD group subdomain Admins are following in the subdomain sub.test.local can:

    Server Management
    Recipient Management but without the command Remove-OwaMailboxPolicy
    View-Only Organization Management
    For more information on these RoleGroups see [1].

    To avoid damaging the present RoleGroups not the employee, we create all 3 RoleGroups new:

    $ RoleGroup = Get-RoleGroup "Server Management"
    New-RoleGroup "Subdomain Server Management"-Roles $ RoleGroup.Roles

    $ RoleGroup = Get-RoleGroup "View-Only Organization Management"
    New-RoleGroup "subdomain View-Only Organization Management"-Roles $ RoleGroup.Roles

    For the custom role RecipientManagement the whole is a bit more complicated. Because the command Remove-OwaMailboxPolicy is included in the roles Mail Recipients and Recipient Policies, which are both a part of Recipient Management, we have to adapt the whole thing. For this purpose, we create copies of the respective roles:

    New Management Role-Parent "Mail Recipients"-name "Restricted Mail Recipients"

    New Management Role-Parent "Recipient Policies" name "Restricted Recipient Policies"

    Now we need to remove the unwanted command:

    Remove ManagementRoleEntry "Restricted Mail Recipients \ Remove OwaMailboxPolicy"

    Remove ManagementRoleEntry "Restricted Recipient Policies \ Remove OwaMailboxPolicy"

    These and all the other roles that we need, we now add a RoleGroup Restricted Recipient Management together:

    New-RoleGroup "Restricted Recipient Management"-Roles "Distribution Groups", "Mail Enabled Public Folders", "Mail Recipient Creation", "Message Tracking Migration", "Move Mailboxes", "Restricted Mail Recipients", "Restricted Recipient Policies"

    For more information about management roles that exist in Exchange 2010 already, see [2].

    The Who

    Now the members are required to be RoleGroups add. In our case, the group sub-domain Admins :

    Add-RoleGroupMember "Subdomain Server Management" Members subdomain Admins

    Add-RoleGroupMember "Subdomain Recipient Management" Members subdomain Admins

    Add-RoleGroupMember "subdomain View-Only Organization Management"-Member subdomain Admins

    Where the

    The rights on Role Based Access Control can be awarded, the simplest restricted by its own scope to specific areas. In our case we have to the subdomain to a new Sub Scope  summarized. This is easiest using the FQDN of the servers:

    New-ManagementScope-Name "Sub Scope" ServerRestrictionFilter {FQDN-like "*. Sub.test.local *"}

    Now the previously created RoleGroups be assigned to the Scope:

    Get-ManagementRoleAssignment-RoleAssignee "Subdomain Server Management" | Set-ManagementRoleAssignment-CustomConfigWriteScope "Sub Scope"

    Get-ManagementRoleAssignment-RoleAssignee "Subdomain Recipient Management" | Set-ManagementRoleAssignment-CustomConfigWriteScope "Sub Scope"

    Get-ManagementRoleAssignment-RoleAssignee "subdomain View-Only Organization Management" | Set-ManagementRoleAssignment-CustomConfigWriteScope "Sub Scope"

    After the changes made ¿¿to each member of the group has SubdomainAdmins manage all the necessary permissions to the Exchange within the subdomain as desired.

    Author Closing Comment

    Thank you again for the assistance on this. What is interesting is I received a lot of errors in Power Shell for the linking of the two, however the users are reporting that they can see and make the modifications they need now.

    I'm marking this as the solution since it did accomplish what I needed.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Easy CSR creation in Exchange 2007,2010 and 2013
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now