[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 101
  • Last Modified:

Exchange server Role groups permissions

Exchange server 2010/2013 have Role groups, you can just assign AD users or groups to those roles and they will be able to do whatever is permitted to that role.
However I believe sometimes, you can assign an AD group ,for instance GroupA to Exchange RoleX so that the groupA can do whatever permitted by the roleX, then assign another AD GroupB to the same Exchange RoleX, but with less permissions than what groupA can.

Let's take Help Desk role as example, you can put users in the same role, but you can restrict some users from doing some task that other user in the same role can do.

I have read that on MS link, but the link does not show how to be granular in permissions.

Any help will be very much appreciated.

Thanks
0
jskfan
Asked:
jskfan
  • 2
  • 2
2 Solutions
 
Will SzymkowskiSenior Solution ArchitectCommented:
Ultimately Active Directory permissions superseed the Exchange permissions. So can this be done, yes. However I would not be using AD / Exchange to mix up permissions like this. Use Exchange Permissions (role groups) to assign permissions. When you start mixing and matching it can get very confusing and where you don't see Exchange  permisisons but users still have access to things they should its because AD permissions are in place.

This makes it very hard to troubleshoot and overall management can be a nightmare. Use Exchagne permissions for Exchange and AD permissions for Active Directory.

Will.
0
 
jskfanAuthor Commented:
If in understand what you are saying, is in order to be granular with Exchange Role permissions we need to use AD Security permissions, Though it is not desirable. Correct ?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
In earlier versions of Exchange you need to configure Active Directory permissions on the objects in order to do specific things i.e. (send as). In Exchange 2007 the level of permissions changed where you could do most of permission changes from the EMC. The downfall with permissions in Exchange 2007 is that there were only Org Admins, Recipient Admins, Public Folder Admins and View Only Admins. This was tough because if you needed to give a user access to simply modify permisisons on mailboxes you had to provide Recipient Admin role. That role can also create accounts modify distribution groups etc.

In Exchange 2010 you have RBAC which allows you to have more granularity  in what you want your users accessing.

Role Base Access Control Tutorial

Will.
0
 
jskfanAuthor Commented:
Thanks
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now