Home > Uncategorized > Management Delegation in Exchange 2010 (RBAC)

Management Delegation in Exchange 2010 (RBAC)

One of the best new features in Exchange 2010 is RBAC, or Roles Based Access Control.

This truly gives administrators a vital tool in empowering and delegating tasks within Exchange.

For example, perhaps I want my Human Resources dept to be able to create mailboxes, or I want my helpdesk dept to perform *some* server tasks.

This is very much possible in Exchange now.

We are able to achieve many tasks through either; the EMC, (Exchange Management Console), EMS (Exchange Management Shell), or now also ECP, (Exchange Control Panel in the web browser).

Let’s start by examining the defaults.

In Active Directory, we now have an OU called ‘Microsoft Exchange Security Groups’. This contains several examples of delegation via the groups already defined. For example, it’s likely that your admin account is a member of the group Organization Management, due to the AD preparation that user did prior to Exchange being installed.

Also checkout groups like Help Desk, as these also have pre-defined access control attributed to them. In many cases, it’s a case of adding people to the relevant group, and away you go.

But for some, we need to either better understand what we are delegating, or perhaps wish to tailor the control.

So here are some examples in EMS that will help you.


This will show you what roles exist.

Get-ManagementRoleEntry ‘mailrecipients\*’

This will then show for a given role, in this example, mail recipients, what PowerShell cmdlets (well functions really, but let’s not split hairs here) are associated with that role.

As this is a pre-defined role, I’m not going to tailor this one, but instead clone it, and fix it for my needs.  So what I’ll do is clone the exising ‘mail recipients’ role, and then chop it down, like so:

New-ManagementRole Chris –Parent ‘Mail  Recipients’

You could then verify it’s taken the same entries across before changing them with:

Get-ManagementRoleEntry ‘chris\*’

Then, customise it down, by in this case, removing any cmdlets that have the word ‘disable’ in them:

Get-ManagementRoleEntry ‘chris\*’ | where {$_.name –ilike ‘disable*’} |Remove-ManagementRoleEntry

And again, maybe verify after you’re done to check.

Get-ManagementRoleEntry ‘chris\*’



As you can see there is tremendous scope for allowing what is essentially cmdlet-level delegation of task. And remember, it doesn’t matter how the user is calling the PowerShell, be it EMC, EMS or better still these days, ECP. Happy delegating!

Categories: Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: