Solved

Exchange 2013 custom cmdlets and RBAC

Posted on 2015-02-17
3
105 Views
Last Modified: 2015-02-20
Hi Folks,

in my lab I'm trying to build a solution to finetune exchange administration via powershell with custom cmdlets.

e.g.:

The custom cmdlet "New-ExMbx" should do similar things like "New-Mailbox" but with some limitations and with some more logging. I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my "New-ExMbx" but ensure that they can create new mailboxes?

Sorry for the bad explanation, it's difficult to describe the process.

Tia
Marcel
0
Comment
Question by:Marcel_D
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40614652
I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my
Unfortunately the answer is no. Cmdlets are only disabled when a user does not have the level of access to use the command. How are you going to use your function "New-ExMbx"? Do you not uses New-Mailbox somewhere in your function?

Also you will need to import the snapin for Exchange as well if you are running this outside of the EMS. When you import the snapin you are providing access to all of the cmdlets, which will be available based on user access.

Will.
0
 
LVL 10

Expert Comment

by:nashiooka
ID: 40622044
You can lock down individual parameters of New-Mailbox such that they match the capabilities you're putting in your wrapper.  It's kind of tricky but it goes something like this:

1) Create a new management role using a role that already has New-Mailbox as the parent.
2) Remove all unwanted cmdlets from the role entries list:

Get-ManagementRoleEntry "<NewRole>\*" | Where{$_.Name -notmatch New-Mailbox} | Remove-ManagementRoleEntry -Confirm:$false

Of course change the where clause as you see fit and fine tune with any additional remove commands.

3) Remove the cmdlet parameters you don't want using Set-ManagementRoleEntry , something like below:

Set-ManagementRoleEntry "<NewRole>\New-Mailbox" -Parameters <Parameter1,Parameter2...>

4) Assign a role group to the new role using New-ManagementRoleAssignment and make sure the user(s) are in the group.

A final note, if the user has access to New-Mailbox from another role that grants access to more parameters it will take precedence over your custom role.
0
 

Author Comment

by:Marcel_D
ID: 40622047
Hi Nashiooka,

damn I would like to give you a reward, too :( Thx for your effort and detailed answer. Will check this in my lab.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question