Solved

Exchange server Role groups permissions

Posted on 2015-01-28
4
89 Views
Last Modified: 2015-02-07
Exchange server 2010/2013 have Role groups, you can just assign AD users or groups to those roles and they will be able to do whatever is permitted to that role.
However I believe sometimes, you can assign an AD group ,for instance GroupA to Exchange RoleX so that the groupA can do whatever permitted by the roleX, then assign another AD GroupB to the same Exchange RoleX, but with less permissions than what groupA can.

Let's take Help Desk role as example, you can put users in the same role, but you can restrict some users from doing some task that other user in the same role can do.

I have read that on MS link, but the link does not show how to be granular in permissions.

Any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
  • 2
  • 2
4 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40576497
Ultimately Active Directory permissions superseed the Exchange permissions. So can this be done, yes. However I would not be using AD / Exchange to mix up permissions like this. Use Exchange Permissions (role groups) to assign permissions. When you start mixing and matching it can get very confusing and where you don't see Exchange  permisisons but users still have access to things they should its because AD permissions are in place.

This makes it very hard to troubleshoot and overall management can be a nightmare. Use Exchagne permissions for Exchange and AD permissions for Active Directory.

Will.
0
 

Author Comment

by:jskfan
ID: 40581497
If in understand what you are saying, is in order to be granular with Exchange Role permissions we need to use AD Security permissions, Though it is not desirable. Correct ?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40581590
In earlier versions of Exchange you need to configure Active Directory permissions on the objects in order to do specific things i.e. (send as). In Exchange 2007 the level of permissions changed where you could do most of permission changes from the EMC. The downfall with permissions in Exchange 2007 is that there were only Org Admins, Recipient Admins, Public Folder Admins and View Only Admins. This was tough because if you needed to give a user access to simply modify permisisons on mailboxes you had to provide Recipient Admin role. That role can also create accounts modify distribution groups etc.

In Exchange 2010 you have RBAC which allows you to have more granularity  in what you want your users accessing.

Role Base Access Control Tutorial

Will.
0
 

Author Closing Comment

by:jskfan
ID: 40596396
Thanks
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now