[Webinar] Learn how to a build a cloud-first strategyRegister Now


Exchange 2010 Server management role for sub-domains

Posted on 2012-08-23
Medium Priority
Last Modified: 2012-08-24
How do I grant a user or group of users Server Management role access to just their sub-domain servers?  

I cannot grant them rights at the parent domain as this would grant them rights over our other sub & top-level domain Exchange servers.
Question by:TSTechNA
  • 4
  • 2
LVL 23

Accepted Solution

Stelian Stan earned 2000 total points
ID: 38326320
LVL 23

Assisted Solution

by:Stelian Stan
Stelian Stan earned 2000 total points
ID: 38326356

Expert Comment

ID: 38326360
E2K10 uses RBAC. There are pre-defined roles, with the ability to get pretty granular.

Here are the roles: http://technet.microsoft.com/en-us/library/dd638077

sounds like you are talking about this one:



vic rozumny
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 38326584
Clonyxlro - the second post/link you posted is what I am trying to accomplish - I'm not well versed in Exchange PowerShell, so please forgive what may seem silly questions. In that link no one responded to the OP, so I am not sure if that is correct usage or not. Can you verify this?

Thank you both for the posts - the links are useful, but I'm still trying to wrap my head around the proper way to do this.

Editing this to add that I have created a subdomain scope & role group as in the second link, however I receive the following error for every Role when attempting to connect them together:

The scope restriction type "<All of them received errors>" on the management scope "<our custom name>" isn't valid for the recipient write restriction.
LVL 23

Expert Comment

by:Stelian Stan
ID: 38326793
Unfortunately I don't have access to my test environment to confirm that but for a better understanding of roles have a look at Mshiyas Bolg: http://mshiyas.wordpress.com/2012/02/01/an-introduction-to-exchange-role-based-access-control/

A really good video about implementing RBAC:; http://www.youtube.com/watch?v=wdxn5veJfk4&lr=1

More on this topic: http://muc-ug.org.in/index.php/articles/exchange-2010/115-exchange-2010-role-based-access-control.html

Hope that helps.
LVL 23

Expert Comment

by:Stelian Stan
ID: 38326823
I think this is your case: http://infrablog.escde.net/2012/02/01/exchange-2010-verwaltung-in-der-subdomane-teil1/

but is in german. The english would be:

The big problem of an Exchange installation is that all changes always affect the entire Forest. When installing the Exchange System Administrator in a subdomain of this subdomain has the ability to make changes for the entire Exchange organization.

Since Exchange 2010, there are the so-called Role-Based Access Control (RBAC) . This can restrict the permissions of the Exchange administrator of subdomains, which are explained below:

The What

The members of our AD group subdomain Admins are following in the subdomain sub.test.local can:

Server Management
Recipient Management but without the command Remove-OwaMailboxPolicy
View-Only Organization Management
For more information on these RoleGroups see [1].

To avoid damaging the present RoleGroups not the employee, we create all 3 RoleGroups new:

$ RoleGroup = Get-RoleGroup "Server Management"
New-RoleGroup "Subdomain Server Management"-Roles $ RoleGroup.Roles

$ RoleGroup = Get-RoleGroup "View-Only Organization Management"
New-RoleGroup "subdomain View-Only Organization Management"-Roles $ RoleGroup.Roles

For the custom role RecipientManagement the whole is a bit more complicated. Because the command Remove-OwaMailboxPolicy is included in the roles Mail Recipients and Recipient Policies, which are both a part of Recipient Management, we have to adapt the whole thing. For this purpose, we create copies of the respective roles:

New Management Role-Parent "Mail Recipients"-name "Restricted Mail Recipients"

New Management Role-Parent "Recipient Policies" name "Restricted Recipient Policies"

Now we need to remove the unwanted command:

Remove ManagementRoleEntry "Restricted Mail Recipients \ Remove OwaMailboxPolicy"

Remove ManagementRoleEntry "Restricted Recipient Policies \ Remove OwaMailboxPolicy"

These and all the other roles that we need, we now add a RoleGroup Restricted Recipient Management together:

New-RoleGroup "Restricted Recipient Management"-Roles "Distribution Groups", "Mail Enabled Public Folders", "Mail Recipient Creation", "Message Tracking Migration", "Move Mailboxes", "Restricted Mail Recipients", "Restricted Recipient Policies"

For more information about management roles that exist in Exchange 2010 already, see [2].

The Who

Now the members are required to be RoleGroups add. In our case, the group sub-domain Admins :

Add-RoleGroupMember "Subdomain Server Management" Members subdomain Admins

Add-RoleGroupMember "Subdomain Recipient Management" Members subdomain Admins

Add-RoleGroupMember "subdomain View-Only Organization Management"-Member subdomain Admins

Where the

The rights on Role Based Access Control can be awarded, the simplest restricted by its own scope to specific areas. In our case we have to the subdomain to a new Sub Scope  summarized. This is easiest using the FQDN of the servers:

New-ManagementScope-Name "Sub Scope" ServerRestrictionFilter {FQDN-like "*. Sub.test.local *"}

Now the previously created RoleGroups be assigned to the Scope:

Get-ManagementRoleAssignment-RoleAssignee "Subdomain Server Management" | Set-ManagementRoleAssignment-CustomConfigWriteScope "Sub Scope"

Get-ManagementRoleAssignment-RoleAssignee "Subdomain Recipient Management" | Set-ManagementRoleAssignment-CustomConfigWriteScope "Sub Scope"

Get-ManagementRoleAssignment-RoleAssignee "subdomain View-Only Organization Management" | Set-ManagementRoleAssignment-CustomConfigWriteScope "Sub Scope"

After the changes made ¿¿to each member of the group has SubdomainAdmins manage all the necessary permissions to the Exchange within the subdomain as desired.

Author Closing Comment

ID: 38328967
Thank you again for the assistance on this. What is interesting is I received a lot of errors in Power Shell for the linking of the two, however the users are reporting that they can see and make the modifications they need now.

I'm marking this as the solution since it did accomplish what I needed.

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
How to effectively resolve the number one email related issue received by helpdesks.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month20 days, 14 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question