?
Solved

Create custom RBAC roles in Exchange 2010

Posted on 2013-11-11
1
Medium Priority
?
365 Views
Last Modified: 2013-11-27
I have a domain admin user that I would like to designate to have the ability to mailbox enable a user in Exchange, choose which database the mailbox will go to, and the ability to modify SMTP addresses and Exchange custom attributes.  

I have assigned this user the Help Desk management role group, which shows as having the assigned roles of User Options and View-Only Recipients.  

I have also created a custom role group and assigned the roles of Mail Recipient Creation and Mail Recipients roles to this user.

I have installed the Exchange Management Console on the users computer, however when I go to verify the proper privileges, it appears that the user has many more privileges than the ones I have assigned, including, and most concerning the ability to Remove mailboxes from the EMC with the rights assigned.

Where is this allowed privilege being applied, and how can I check? Also, how can I remove or modify my privileges so it only includes the abilities I mentioned in the first sentence.

My primary goal is to make sure the user does not have the ability to remove or delete existing mailboxes.

Thank you in advance.
0
Comment
Question by:fireguy1125
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39641225
If they are a domain admin then they probably have more permissions that you expect. Most permissive wins, that means if a user is a member of a group that has higher permissions, that is what permissions they get. You need to look at the permission structure and probably remove their domain admin rights.

Simon.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question