In relation to the group/role "organisation management" in exch2013, what permissions does this give the user, and what types of user typically require this permission? Or put another way, what could a malicious user do to your exchange environment if they got hold of an account with organisation management permissions.
I am reviewing security permissions and noticed generally the whole IT section (25+ employees) have been added organisation permissions - but I need to determine if this is common, or if you have only a few trusted users with organisation management permissions - and if so for what tasks do they require such access.
Start off here first to get a better understanding of the RBAC model in Exchange: https://technet.microsoft.com/en-us/library/dd298183(v=exchg.150).aspx
This article walks you through the process of creating a custom RBAC role group and adding specific permissions to this group so as to limit what users can do. Note that this is a four-part article: http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/rbac-made-easy-part1.html