Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2013 custom cmdlets and RBAC

Posted on 2015-02-17
3
Medium Priority
?
138 Views
Last Modified: 2015-02-20
Hi Folks,

in my lab I'm trying to build a solution to finetune exchange administration via powershell with custom cmdlets.

e.g.:

The custom cmdlet "New-ExMbx" should do similar things like "New-Mailbox" but with some limitations and with some more logging. I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my "New-ExMbx" but ensure that they can create new mailboxes?

Sorry for the bad explanation, it's difficult to describe the process.

Tia
Marcel
0
Comment
Question by:Marcel_D
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 40614652
I want to use RBAC to secure the process. Is it possible to disable the "New-Mailbox" cmdlet to force users to use my
Unfortunately the answer is no. Cmdlets are only disabled when a user does not have the level of access to use the command. How are you going to use your function "New-ExMbx"? Do you not uses New-Mailbox somewhere in your function?

Also you will need to import the snapin for Exchange as well if you are running this outside of the EMS. When you import the snapin you are providing access to all of the cmdlets, which will be available based on user access.

Will.
0
 
LVL 10

Expert Comment

by:nashiooka
ID: 40622044
You can lock down individual parameters of New-Mailbox such that they match the capabilities you're putting in your wrapper.  It's kind of tricky but it goes something like this:

1) Create a new management role using a role that already has New-Mailbox as the parent.
2) Remove all unwanted cmdlets from the role entries list:

Get-ManagementRoleEntry "<NewRole>\*" | Where{$_.Name -notmatch New-Mailbox} | Remove-ManagementRoleEntry -Confirm:$false

Of course change the where clause as you see fit and fine tune with any additional remove commands.

3) Remove the cmdlet parameters you don't want using Set-ManagementRoleEntry , something like below:

Set-ManagementRoleEntry "<NewRole>\New-Mailbox" -Parameters <Parameter1,Parameter2...>

4) Assign a role group to the new role using New-ManagementRoleAssignment and make sure the user(s) are in the group.

A final note, if the user has access to New-Mailbox from another role that grants access to more parameters it will take precedence over your custom role.
0
 

Author Comment

by:Marcel_D
ID: 40622047
Hi Nashiooka,

damn I would like to give you a reward, too :( Thx for your effort and detailed answer. Will check this in my lab.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question