Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

user permissions in 2010

I know exchange 2010 comes with predefined roles (which are AD groups, i.e. organisation management) to assign admins permissions over the exchange server for admin/support. But is it possible to add users directly to elements of exchange outside of these predefined roles/groups. Ie can you be sure the only people with access across your exchange environment are those with memebership to the default groups, or if not, how would you determine which users have access to what within your exchange environment? where would you look?

I am quite familiar with the security model for other MS server apps like SQL Server, and again there are roles which you can add users to, but you dont have to. I wasnt sure where to start with seeing which local/domain accounts have access to what over the exchange environemtn.
ASKER CERTIFIED SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

one thing that confused me though was when I got a list of users with access to those default exchange AD related groups, there was no membership! So it didnt quite make sense, and I assumed there must be another way of adding domain groups (or local users and groups) to have access to manage exchange. so there must be an additional way to assign permissions above and beyond adding them to the default roles/groups.
There is. It's done through powershell. There are a number of Administrative roles assigned to the default groups and members of those groups get those role permissions automatically, but the roles can also be directly assigned to individual users with the use of the add-rolemember cmdlet in Powershell.
Avatar of Pau Lo

ASKER

ah! any useful commands/shell commands that could give some clues and reporting on users added permissions via the powershell method?
http://technet.microsoft.com/en-us/library/dd297953%28v=exchg.150%29.aspx has all of the cmdlets involved in handling the RBAC system.
Avatar of Pau Lo

ASKER

presumably Get-RoleGroupMember would be a good starting point?

I assume for the -identity switch you are listing the "roles" discussed in the link above?

i.e. get-rolegroupmember "help desk"..
What you can do, to get a list of all role groups and their members is run
get-rolegroup | get-rolegroupmember

The output would be a little weird, though. Running get-rolegroup will allow you to see what roles exist, then running get-rolegroupmember <groupname> will report on which users are part of that group.
Avatar of Pau Lo

ASKER

and can you run these from the exchange management shell, or just plain powershell (do you need to install anything additional)...
You run them from the exchange management shell.
Avatar of Pau Lo

ASKER

Thanks for your help, very interesting...

to conclude, is there any reason why you would add users permissions via the powershell technique as opposed to just dropping them into the default exchange groups in ADUC? Seems a bit uneccesarily complex.
For most people, just using the default groups is sufficient. However, there are situations where there are regulatory requirements that require a more granular approach to assigning permissions (It's more for government and high security environments). The RBAC system allows that.