Solved

Exchange 2013 custom cmdlets and RBAC

Posted on 2015-02-17
3
98 Views
Last Modified: 2015-02-20
Hi Folks,

in my lab I'm trying to build a solution to finetune exchange administration via powershell with custom cmdlets.

e.g.:

The custom cmdlet "New-ExMbx" should do similar things like "New-Mailbox" but with some limitations and with some more logging. I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my "New-ExMbx" but ensure that they can create new mailboxes?

Sorry for the bad explanation, it's difficult to describe the process.

Tia
Marcel
0
Comment
Question by:Marcel_D
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40614652
I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my
Unfortunately the answer is no. Cmdlets are only disabled when a user does not have the level of access to use the command. How are you going to use your function "New-ExMbx"? Do you not uses New-Mailbox somewhere in your function?

Also you will need to import the snapin for Exchange as well if you are running this outside of the EMS. When you import the snapin you are providing access to all of the cmdlets, which will be available based on user access.

Will.
0
 
LVL 10

Expert Comment

by:nashiooka
ID: 40622044
You can lock down individual parameters of New-Mailbox such that they match the capabilities you're putting in your wrapper.  It's kind of tricky but it goes something like this:

1) Create a new management role using a role that already has New-Mailbox as the parent.
2) Remove all unwanted cmdlets from the role entries list:

Get-ManagementRoleEntry "<NewRole>\*" | Where{$_.Name -notmatch New-Mailbox} | Remove-ManagementRoleEntry -Confirm:$false

Of course change the where clause as you see fit and fine tune with any additional remove commands.

3) Remove the cmdlet parameters you don't want using Set-ManagementRoleEntry , something like below:

Set-ManagementRoleEntry "<NewRole>\New-Mailbox" -Parameters <Parameter1,Parameter2...>

4) Assign a role group to the new role using New-ManagementRoleAssignment and make sure the user(s) are in the group.

A final note, if the user has access to New-Mailbox from another role that grants access to more parameters it will take precedence over your custom role.
0
 

Author Comment

by:Marcel_D
ID: 40622047
Hi Nashiooka,

damn I would like to give you a reward, too :( Thx for your effort and detailed answer. Will check this in my lab.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question