Solved

Exchange 2013 permissions for Powershell

Posted on 2015-01-27
8
118 Views
Last Modified: 2015-02-09
I have some Help Desk users that need to run Powershell commands to query Exchange server for different information.

First I would like to know if they can import Exchange modules to Windows Powershell console, seeing that they do not have Exchange Powershell console installed in their computers, though I believe they can download it from internet.

Second, I need Help Desk users to run just Powershell commands that retrieve information such as commands that start with GET.

Any help will be very much appreciated.

Thank you
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 19

Assisted Solution

by:suriyaehnop
suriyaehnop earned 125 total points
ID: 40574302
You can install Exchange Powershell using Exchange 2013 installer. While running wizard choose Managament console only.

https://technet.microsoft.com/en-us/library/bb232090%28v=exchg.150%29.aspx

You need to you add Helpdeks user to Recipient Managament group.

https://technet.microsoft.com/en-us/library/dd638105(v=exchg.150).aspx
0
 

Author Comment

by:jskfan
ID: 40574331
Recipient Management group, can use Powershell commands to get statistics but I am afraid they can also accidentally run commands that make change ...
I want them to run commands just for statistics purposes
0
 
LVL 5

Assisted Solution

by:Dejan Vasiljevic
Dejan Vasiljevic earned 125 total points
ID: 40574379
Hi jskfan,

You can create group in AD. Since You already have group (Help desk users) You can give them rights for powershell in GPO. So You can in theory create 2 groups. One with rights to use SET/REMOVE and one to use GET only, and in GPO for first one set rights for powershell to set/remove and same thing for the other one. You will restrict powershell usage to one or more group(s).

Thanks,
D.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 12

Accepted Solution

by:
Vaseem Mohammed earned 125 total points
ID: 40574584
Browse to ECP, under "Permissions / admin roles" you will find "Help Desk"
Edit it and add the group/users who shall have permissions to run "Get-*" cmdlets.
OR
Create a new "Admin Role" and assign "View-Only Recipients" and add the group/users to
Install Management tools on Help desk computer. Run "Exchange management shell" and cross check it.

For more granular control on which cmdlets they can run, check RBAC.
0
 
LVL 5

Assisted Solution

by:Hello World
Hello World earned 125 total points
ID: 40575334
Hi,

We can run Set-User alias -RemotePowerShellEnabled $True to enable remote shell for Exchange 2013.Meanwhile, we can assign some role for this user with RBAC.
More details about Exchange Management Shell, for your reference:
https://technet.microsoft.com/en-us/library/bb123778(v=exchg.150).aspx
0
 

Author Comment

by:jskfan
ID: 40576348
Vaseem Mohammed

I believe that makes sense "View Only Recipients", may prevent help desk users from doing any change.

Dejan Vasiljevic
 Do you have a link to GPO settings that can allow a user or group to just user GET
0
 
LVL 5

Expert Comment

by:Dejan Vasiljevic
ID: 40576399
@jskfan,

No I don't, but i know that You can restrict PowerShell Execution with GPO, just open GPO menagment and go to powershell config\policies\administrative templates and etc. Maybe there is an option for commands that could be used in Powershell and You can restrict it for user/ group of users. Or at last You can create Your own.

It may be different from server to server but it is all similar...

Thanks,
D.
0
 

Author Closing Comment

by:jskfan
ID: 40599764
Thank you Guys
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts,  so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question