Solved

Exchange 2013 custom cmdlets and RBAC

Posted on 2015-02-17
3
109 Views
Last Modified: 2015-02-20
Hi Folks,

in my lab I'm trying to build a solution to finetune exchange administration via powershell with custom cmdlets.

e.g.:

The custom cmdlet "New-ExMbx" should do similar things like "New-Mailbox" but with some limitations and with some more logging. I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my "New-ExMbx" but ensure that they can create new mailboxes?

Sorry for the bad explanation, it's difficult to describe the process.

Tia
Marcel
0
Comment
Question by:Marcel_D
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40614652
I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my
Unfortunately the answer is no. Cmdlets are only disabled when a user does not have the level of access to use the command. How are you going to use your function "New-ExMbx"? Do you not uses New-Mailbox somewhere in your function?

Also you will need to import the snapin for Exchange as well if you are running this outside of the EMS. When you import the snapin you are providing access to all of the cmdlets, which will be available based on user access.

Will.
0
 
LVL 10

Expert Comment

by:nashiooka
ID: 40622044
You can lock down individual parameters of New-Mailbox such that they match the capabilities you're putting in your wrapper.  It's kind of tricky but it goes something like this:

1) Create a new management role using a role that already has New-Mailbox as the parent.
2) Remove all unwanted cmdlets from the role entries list:

Get-ManagementRoleEntry "<NewRole>\*" | Where{$_.Name -notmatch New-Mailbox} | Remove-ManagementRoleEntry -Confirm:$false

Of course change the where clause as you see fit and fine tune with any additional remove commands.

3) Remove the cmdlet parameters you don't want using Set-ManagementRoleEntry , something like below:

Set-ManagementRoleEntry "<NewRole>\New-Mailbox" -Parameters <Parameter1,Parameter2...>

4) Assign a role group to the new role using New-ManagementRoleAssignment and make sure the user(s) are in the group.

A final note, if the user has access to New-Mailbox from another role that grants access to more parameters it will take precedence over your custom role.
0
 

Author Comment

by:Marcel_D
ID: 40622047
Hi Nashiooka,

damn I would like to give you a reward, too :( Thx for your effort and detailed answer. Will check this in my lab.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question