Exchange 2013 custom cmdlets and RBAC

Hi Folks,

in my lab I'm trying to build a solution to finetune exchange administration via powershell with custom cmdlets.

e.g.:

The custom cmdlet "New-ExMbx" should do similar things like "New-Mailbox" but with some limitations and with some more logging. I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my "New-ExMbx" but ensure that they can create new mailboxes?

Sorry for the bad explanation, it's difficult to describe the process.

Tia
Marcel
Marcel_DAsked:
Who is Participating?
 
Will SzymkowskiSenior Solution ArchitectCommented:
I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my
Unfortunately the answer is no. Cmdlets are only disabled when a user does not have the level of access to use the command. How are you going to use your function "New-ExMbx"? Do you not uses New-Mailbox somewhere in your function?

Also you will need to import the snapin for Exchange as well if you are running this outside of the EMS. When you import the snapin you are providing access to all of the cmdlets, which will be available based on user access.

Will.
0
 
nashiookaCommented:
You can lock down individual parameters of New-Mailbox such that they match the capabilities you're putting in your wrapper.  It's kind of tricky but it goes something like this:

1) Create a new management role using a role that already has New-Mailbox as the parent.
2) Remove all unwanted cmdlets from the role entries list:

Get-ManagementRoleEntry "<NewRole>\*" | Where{$_.Name -notmatch New-Mailbox} | Remove-ManagementRoleEntry -Confirm:$false

Of course change the where clause as you see fit and fine tune with any additional remove commands.

3) Remove the cmdlet parameters you don't want using Set-ManagementRoleEntry , something like below:

Set-ManagementRoleEntry "<NewRole>\New-Mailbox" -Parameters <Parameter1,Parameter2...>

4) Assign a role group to the new role using New-ManagementRoleAssignment and make sure the user(s) are in the group.

A final note, if the user has access to New-Mailbox from another role that grants access to more parameters it will take precedence over your custom role.
0
 
Marcel_DAuthor Commented:
Hi Nashiooka,

damn I would like to give you a reward, too :( Thx for your effort and detailed answer. Will check this in my lab.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.