Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

user permissions in 2010

Posted on 2014-01-14
11
Medium Priority
?
201 Views
Last Modified: 2014-01-14
I know exchange 2010 comes with predefined roles (which are AD groups, i.e. organisation management) to assign admins permissions over the exchange server for admin/support. But is it possible to add users directly to elements of exchange outside of these predefined roles/groups. Ie can you be sure the only people with access across your exchange environment are those with memebership to the default groups, or if not, how would you determine which users have access to what within your exchange environment? where would you look?

I am quite familiar with the security model for other MS server apps like SQL Server, and again there are roles which you can add users to, but you dont have to. I wasnt sure where to start with seeing which local/domain accounts have access to what over the exchange environemtn.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 39779686
Exchange 2010 implemented a new security system that utilizes Role Based Access control to assign permissions. It works by bundling powershell cmdlets that admins have access to and assigning roles to groups that you can then place users in those groups. It's a fairly complex system that's tricky to work with and explain, http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html should give you a good start, though.
0
 
LVL 3

Author Comment

by:pma111
ID: 39779700
one thing that confused me though was when I got a list of users with access to those default exchange AD related groups, there was no membership! So it didnt quite make sense, and I assumed there must be another way of adding domain groups (or local users and groups) to have access to manage exchange. so there must be an additional way to assign permissions above and beyond adding them to the default roles/groups.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39779712
There is. It's done through powershell. There are a number of Administrative roles assigned to the default groups and members of those groups get those role permissions automatically, but the roles can also be directly assigned to individual users with the use of the add-rolemember cmdlet in Powershell.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 3

Author Comment

by:pma111
ID: 39779739
ah! any useful commands/shell commands that could give some clues and reporting on users added permissions via the powershell method?
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39779753
http://technet.microsoft.com/en-us/library/dd297953%28v=exchg.150%29.aspx has all of the cmdlets involved in handling the RBAC system.
0
 
LVL 3

Author Comment

by:pma111
ID: 39779770
presumably Get-RoleGroupMember would be a good starting point?

I assume for the -identity switch you are listing the "roles" discussed in the link above?

i.e. get-rolegroupmember "help desk"..
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39779789
What you can do, to get a list of all role groups and their members is run
get-rolegroup | get-rolegroupmember

The output would be a little weird, though. Running get-rolegroup will allow you to see what roles exist, then running get-rolegroupmember <groupname> will report on which users are part of that group.
0
 
LVL 3

Author Comment

by:pma111
ID: 39779793
and can you run these from the exchange management shell, or just plain powershell (do you need to install anything additional)...
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39779805
You run them from the exchange management shell.
0
 
LVL 3

Author Comment

by:pma111
ID: 39779816
Thanks for your help, very interesting...

to conclude, is there any reason why you would add users permissions via the powershell technique as opposed to just dropping them into the default exchange groups in ADUC? Seems a bit uneccesarily complex.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 39779933
For most people, just using the default groups is sufficient. However, there are situations where there are regulatory requirements that require a more granular approach to assigning permissions (It's more for government and high security environments). The RBAC system allows that.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question