• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 369
  • Last Modified:

Is this possible using RBAC?

Not all that familiar with RBAC. Trying to learn but the terminology is confusing. I want to create a Role Group using Recipient Management as a template but I want to try and remove the ability for members of this new group to be able to adjust the mailbox limits of a mailbox. This is the only restriction the group member should have when managing the recipient. If it is possible, how would I go about doing that?
0
osiexchange
Asked:
osiexchange
  • 2
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
You would create a new Management Role Group to hold the Role Entries you need. From there, you would create a Management role entry for the Role Group that includes the set-mailbox cmdlet with the parameters you want them to use. You would then copy the remaining role entries from the Recipient Management Role Group to the Role group you created. Then the Management Role Group is assigned to a Group as a Management Role Assignment.

http://technet.microsoft.com/en-us/library/dd335180.aspx Has info on creating management role entries. A management role entry basically sets the powershell cmdlet and parameters for the cmdlet that a user who has the management role assigned to them can use. http://technet.microsoft.com/en-us/library/bb123981%28v=exchg.141%29.aspx has info on the set-mailbox cmdlet and parameters that can be used with it. If you add all the entries for set-mailbox that you want them to be able to use, you can limit what they do because what you don't include won't be accessible to them. You can do this for any powershell cmdlet that is available for Exchange. Each role entry controls a single Powershell Cmdlet, and they are added to role groups. The role groups are assigned to role members.
0
 
osiexchangeAuthor Commented:
Thanks for all that info. One thing I don't understand is

"Then the Management Role Group is assigned to a Group as a Management Role Assignment."

Does this mean you are just adding a security group in AD to the Management Role Group?
0
 
Adam BrownSr Solutions ArchitectCommented:
Yes. You would assign the management role group to an AD group or user. They call that the Management Role Assignment.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now