?
Solved

Exchange server Role groups permissions

Posted on 2015-01-28
4
Medium Priority
?
99 Views
Last Modified: 2015-02-07
Exchange server 2010/2013 have Role groups, you can just assign AD users or groups to those roles and they will be able to do whatever is permitted to that role.
However I believe sometimes, you can assign an AD group ,for instance GroupA to Exchange RoleX so that the groupA can do whatever permitted by the roleX, then assign another AD GroupB to the same Exchange RoleX, but with less permissions than what groupA can.

Let's take Help Desk role as example, you can put users in the same role, but you can restrict some users from doing some task that other user in the same role can do.

I have read that on MS link, but the link does not show how to be granular in permissions.

Any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 2000 total points
ID: 40576497
Ultimately Active Directory permissions superseed the Exchange permissions. So can this be done, yes. However I would not be using AD / Exchange to mix up permissions like this. Use Exchange Permissions (role groups) to assign permissions. When you start mixing and matching it can get very confusing and where you don't see Exchange  permisisons but users still have access to things they should its because AD permissions are in place.

This makes it very hard to troubleshoot and overall management can be a nightmare. Use Exchagne permissions for Exchange and AD permissions for Active Directory.

Will.
0
 

Author Comment

by:jskfan
ID: 40581497
If in understand what you are saying, is in order to be granular with Exchange Role permissions we need to use AD Security permissions, Though it is not desirable. Correct ?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 40581590
In earlier versions of Exchange you need to configure Active Directory permissions on the objects in order to do specific things i.e. (send as). In Exchange 2007 the level of permissions changed where you could do most of permission changes from the EMC. The downfall with permissions in Exchange 2007 is that there were only Org Admins, Recipient Admins, Public Folder Admins and View Only Admins. This was tough because if you needed to give a user access to simply modify permisisons on mailboxes you had to provide Recipient Admin role. That role can also create accounts modify distribution groups etc.

In Exchange 2010 you have RBAC which allows you to have more granularity  in what you want your users accessing.

Role Base Access Control Tutorial

Will.
0
 

Author Closing Comment

by:jskfan
ID: 40596396
Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question