Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Exchange server Role groups permissions

Posted on 2015-01-28
4
92 Views
Last Modified: 2015-02-07
Exchange server 2010/2013 have Role groups, you can just assign AD users or groups to those roles and they will be able to do whatever is permitted to that role.
However I believe sometimes, you can assign an AD group ,for instance GroupA to Exchange RoleX so that the groupA can do whatever permitted by the roleX, then assign another AD GroupB to the same Exchange RoleX, but with less permissions than what groupA can.

Let's take Help Desk role as example, you can put users in the same role, but you can restrict some users from doing some task that other user in the same role can do.

I have read that on MS link, but the link does not show how to be granular in permissions.

Any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
  • 2
  • 2
4 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40576497
Ultimately Active Directory permissions superseed the Exchange permissions. So can this be done, yes. However I would not be using AD / Exchange to mix up permissions like this. Use Exchange Permissions (role groups) to assign permissions. When you start mixing and matching it can get very confusing and where you don't see Exchange  permisisons but users still have access to things they should its because AD permissions are in place.

This makes it very hard to troubleshoot and overall management can be a nightmare. Use Exchagne permissions for Exchange and AD permissions for Active Directory.

Will.
0
 

Author Comment

by:jskfan
ID: 40581497
If in understand what you are saying, is in order to be granular with Exchange Role permissions we need to use AD Security permissions, Though it is not desirable. Correct ?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40581590
In earlier versions of Exchange you need to configure Active Directory permissions on the objects in order to do specific things i.e. (send as). In Exchange 2007 the level of permissions changed where you could do most of permission changes from the EMC. The downfall with permissions in Exchange 2007 is that there were only Org Admins, Recipient Admins, Public Folder Admins and View Only Admins. This was tough because if you needed to give a user access to simply modify permisisons on mailboxes you had to provide Recipient Admin role. That role can also create accounts modify distribution groups etc.

In Exchange 2010 you have RBAC which allows you to have more granularity  in what you want your users accessing.

Role Base Access Control Tutorial

Will.
0
 

Author Closing Comment

by:jskfan
ID: 40596396
Thanks
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question