• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1275
  • Last Modified:

Exchange 2010 RBAC - Custom role group required to modify user's email addresses?

I am fairly new to Exchange 2010 RBAC however I do have a bit of experience working in a RBAC model.  I am tasked with delegating some permissions in Exchange to our helpdesk staff.  Specifically, I want them to be able to modify user email addresses (add/modify/delete SMTP, X400/Custom addresses etc).

From looking at the options presented to me by the built-in role groups, I think I will need to create a custom one.  If this is the case, can somebody help me create this custom role group with just the permissions necessary to accomplish this task?  I would greatly appreciate it so I may create custom role groups for various tasks going forward.
1 Solution
I don't have directly the way for your needs, but just a few hints, how you can do it.

First, the hierarchical organisation:
RoleGroups (ie Help Desk - visible in RBAC)
  Roles (ie Mail Recipients - visible in RBAC, double click the role group and click add role)
     RoleEntries (a set of permissions for that role)

So the way would be to create a new role, you can copy an existing one, which is near your need.
You add (or remove, if it is a copy) the role entries, you need.
See: http://technet.microsoft.com/en-us/library/dd351214.aspx

Then create a new role group and add your new role there, and a test user to test it.

The role entities can be found in AD, you can use ADExplorer from sysinternals.
CN=Mail Recipients,CN=Roles,CN=RBAC,CN=YourOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=yourdomain,DC=yourtld

here you find all the roles, and every role has a msExchRoleEntries property.
This way you can see the names of the role entries.
For changing the role entries:

If you logon a test machine with a testuser, which is assigned to your new role, you may play around as long as you have excacly the combination you need.
LNKDLNY2Author Commented:
Bembi, thank you for the links.  For others that may need to do this, the process I used is as follows:

1. Identify a current role that you may be able to use as a starting point.  From there, you will want to export a list of all entries (cmdlets) in that role:
Get-ManagementRoleEntry ‘<MGMTROLE>\*’  (substitute <MGMTROLE> with the actual role you have identified)

2. Pipe that into a CSV file.
3. Open the CSV file and determine what entries you would like to remove.
4. Create your custom mgmt role based on the one you identified:
New-ManagementRole -Name <CUSTOMROLE> -Parent <MGMTROLE>

5. Now remove the roles from <CUSTOMROLE> that you don't need:
(I used an array and foreach)
foreach ($Role in $RolesToRemove){Remove-ManagementRoleEntry <CUSTOMROLE>\$Role}

After that, your custom role is ready to be assigned to a role group.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now