Solved

Exchange server Role groups permissions

Posted on 2015-01-28
4
90 Views
Last Modified: 2015-02-07
Exchange server 2010/2013 have Role groups, you can just assign AD users or groups to those roles and they will be able to do whatever is permitted to that role.
However I believe sometimes, you can assign an AD group ,for instance GroupA to Exchange RoleX so that the groupA can do whatever permitted by the roleX, then assign another AD GroupB to the same Exchange RoleX, but with less permissions than what groupA can.

Let's take Help Desk role as example, you can put users in the same role, but you can restrict some users from doing some task that other user in the same role can do.

I have read that on MS link, but the link does not show how to be granular in permissions.

Any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
  • 2
  • 2
4 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40576497
Ultimately Active Directory permissions superseed the Exchange permissions. So can this be done, yes. However I would not be using AD / Exchange to mix up permissions like this. Use Exchange Permissions (role groups) to assign permissions. When you start mixing and matching it can get very confusing and where you don't see Exchange  permisisons but users still have access to things they should its because AD permissions are in place.

This makes it very hard to troubleshoot and overall management can be a nightmare. Use Exchagne permissions for Exchange and AD permissions for Active Directory.

Will.
0
 

Author Comment

by:jskfan
ID: 40581497
If in understand what you are saying, is in order to be granular with Exchange Role permissions we need to use AD Security permissions, Though it is not desirable. Correct ?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40581590
In earlier versions of Exchange you need to configure Active Directory permissions on the objects in order to do specific things i.e. (send as). In Exchange 2007 the level of permissions changed where you could do most of permission changes from the EMC. The downfall with permissions in Exchange 2007 is that there were only Org Admins, Recipient Admins, Public Folder Admins and View Only Admins. This was tough because if you needed to give a user access to simply modify permisisons on mailboxes you had to provide Recipient Admin role. That role can also create accounts modify distribution groups etc.

In Exchange 2010 you have RBAC which allows you to have more granularity  in what you want your users accessing.

Role Base Access Control Tutorial

Will.
0
 

Author Closing Comment

by:jskfan
ID: 40596396
Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now