Exchange 2010 RBAC - Custom role group required to modify user's email addresses?

Posted on 2012-09-19
Last Modified: 2012-09-24
I am fairly new to Exchange 2010 RBAC however I do have a bit of experience working in a RBAC model.  I am tasked with delegating some permissions in Exchange to our helpdesk staff.  Specifically, I want them to be able to modify user email addresses (add/modify/delete SMTP, X400/Custom addresses etc).

From looking at the options presented to me by the built-in role groups, I think I will need to create a custom one.  If this is the case, can somebody help me create this custom role group with just the permissions necessary to accomplish this task?  I would greatly appreciate it so I may create custom role groups for various tasks going forward.
Question by:LNKDLNY2
    LVL 35

    Accepted Solution

    I don't have directly the way for your needs, but just a few hints, how you can do it.

    First, the hierarchical organisation:
    RoleGroups (ie Help Desk - visible in RBAC)
      Roles (ie Mail Recipients - visible in RBAC, double click the role group and click add role)
         RoleEntries (a set of permissions for that role)

    So the way would be to create a new role, you can copy an existing one, which is near your need.
    You add (or remove, if it is a copy) the role entries, you need.

    Then create a new role group and add your new role there, and a test user to test it.

    The role entities can be found in AD, you can use ADExplorer from sysinternals.
    CN=Mail Recipients,CN=Roles,CN=RBAC,CN=YourOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=yourdomain,DC=yourtld

    here you find all the roles, and every role has a msExchRoleEntries property.
    This way you can see the names of the role entries.
    For changing the role entries:

    If you logon a test machine with a testuser, which is assigned to your new role, you may play around as long as you have excacly the combination you need.

    Author Comment

    Bembi, thank you for the links.  For others that may need to do this, the process I used is as follows:

    1. Identify a current role that you may be able to use as a starting point.  From there, you will want to export a list of all entries (cmdlets) in that role:
    Get-ManagementRoleEntry ‘<MGMTROLE>\*’  (substitute <MGMTROLE> with the actual role you have identified)

    2. Pipe that into a CSV file.
    3. Open the CSV file and determine what entries you would like to remove.
    4. Create your custom mgmt role based on the one you identified:
    New-ManagementRole -Name <CUSTOMROLE> -Parent <MGMTROLE>

    5. Now remove the roles from <CUSTOMROLE> that you don't need:
    (I used an array and foreach)
    foreach ($Role in $RolesToRemove){Remove-ManagementRoleEntry <CUSTOMROLE>\$Role}

    After that, your custom role is ready to be assigned to a role group.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now