• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 149
  • Last Modified:

Exchange 2013 permissions for Powershell

I have some Help Desk users that need to run Powershell commands to query Exchange server for different information.

First I would like to know if they can import Exchange modules to Windows Powershell console, seeing that they do not have Exchange Powershell console installed in their computers, though I believe they can download it from internet.

Second, I need Help Desk users to run just Powershell commands that retrieve information such as commands that start with GET.

Any help will be very much appreciated.

Thank you
4 Solutions
You can install Exchange Powershell using Exchange 2013 installer. While running wizard choose Managament console only.


You need to you add Helpdeks user to Recipient Managament group.

jskfanAuthor Commented:
Recipient Management group, can use Powershell commands to get statistics but I am afraid they can also accidentally run commands that make change ...
I want them to run commands just for statistics purposes
Dejan VasiljevicSys Admin and ProgrammerCommented:
Hi jskfan,

You can create group in AD. Since You already have group (Help desk users) You can give them rights for powershell in GPO. So You can in theory create 2 groups. One with rights to use SET/REMOVE and one to use GET only, and in GPO for first one set rights for powershell to set/remove and same thing for the other one. You will restrict powershell usage to one or more group(s).

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Vaseem MohammedCommented:
Browse to ECP, under "Permissions / admin roles" you will find "Help Desk"
Edit it and add the group/users who shall have permissions to run "Get-*" cmdlets.
Create a new "Admin Role" and assign "View-Only Recipients" and add the group/users to
Install Management tools on Help desk computer. Run "Exchange management shell" and cross check it.

For more granular control on which cmdlets they can run, check RBAC.
Hello WorldCommented:

We can run Set-User alias -RemotePowerShellEnabled $True to enable remote shell for Exchange 2013.Meanwhile, we can assign some role for this user with RBAC.
More details about Exchange Management Shell, for your reference:
jskfanAuthor Commented:
Vaseem Mohammed

I believe that makes sense "View Only Recipients", may prevent help desk users from doing any change.

Dejan Vasiljevic
 Do you have a link to GPO settings that can allow a user or group to just user GET
Dejan VasiljevicSys Admin and ProgrammerCommented:

No I don't, but i know that You can restrict PowerShell Execution with GPO, just open GPO menagment and go to powershell config\policies\administrative templates and etc. Maybe there is an option for commands that could be used in Powershell and You can restrict it for user/ group of users. Or at last You can create Your own.

It may be different from server to server but it is all similar...

jskfanAuthor Commented:
Thank you Guys
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now