Exchange Server 2010 implements role-based access controls that allow you to easily customize permissions for users in the organization. You use role-based access controls to do the following:
Assign permissions to groups of users.
Define policies that assign permissions.
Assign permissions directly to users.
Before I discuss each of these tasks, I'll discuss essential concepts related to role-based
permissions. Because the permissions model is fairly complex, I
recommend reading this entire section to understand your implementation
options before starting to assign permissions.
1. Understanding Role-Based Permissions
Role-based access
control is a permissions model that uses role assignment to define the
management tasks a user or group of users can perform in the Exchange
organization. Exchange defines many built-in management roles that you
can use to manage your Exchange organization. Each built-in role acts as
a logical grouping of permissions that specify the management actions
that those assigned the role can perform. You also can create your own
custom roles.
You can assign roles to role
groups or directly to users. You also can assign roles through role
policies that are then applied to role groups, users, or both. By
assigning roles, you grant permission to perform management tasks.
At the top of the permission
model is the role group, which is a special type of security group that
has been assigned one or more roles. Keep the following in mind when
working with role-based permissions:
You can assign
role-based permissions to any mailbox-enabled user account. Assigning a
role to a user grants the user the ability to perform a specific
management action.
You
can assign role-based permissions to any universal security group.
Assigning a role to a group grants members of the group the ability to
perform a specific management action.
You cannot assign role-based permissions to security groups with the domain local or global scope.
You cannot assign role-based permissions to distribution groups regardless of scope.
As Table 1 in this article
showed previously, Exchange Server 2010 includes a number of predefined
role groups. These role groups are assigned fixed management roles by
default. As a result, you do not need to explicitly add roles to these
groups to enable management, nor can you add or remove roles associated
with the built-in groups. You can, however, manage the members of the
predefined role groups using the procedures discussed previously. You
can also create your own role groups and manage the membership of those
groups.
When you assign a role to a
group, the management scope determines where in the Active Directory
hierarchy that objects can be managed by users assigned a management
role. The scope is either implicitly or explicitly assigned. Implicit
scopes are the default scopes that apply based on a particular type of
management role.
Table 1 lists the management roles with an organization scope. A role with an organization scope applies across the whole Exchange organization. Table 2 lists the management roles with a server scope. A role with a server scope applies to an individual server. Table 3
lists the management roles with a user scope. A role with a user scope
applies to an individual user. When you create a role group, you also
can set an explicit scope, such as for objects in the Customer Service
organization unit or objects in the Technology organizational unit.
Table 1. Management Roles with an Organization Scope
| MANAGEMENT ROLE | ENABLES MANAGERS TO… |
|---|
| Active Directory Permissions | Configure Active Directory permissions
in an organization. Keep in mind that permissions set directly on
Active Directory objects cannot be enforced through RBAC. |
| Address Lists | Manage address lists, the global address list, and offline address lists in an organization. |
| Audit Logs | Manage audit logs in an organization. |
| Cmdlet Extension Agents | Manage cmdlet extension agents in an organization. |
| Database Availability Groups | Manage database availability groups in an organization. |
| Disaster Recovery | Restore mailboxes and database availability groups in an organization. |
| Distribution Groups | Create and manage distribution groups and distribution group members in an organization. |
| Edge Subscriptions | Manage
edge synchronization and subscription configuration between Edge
Transport servers and Hub Transport servers in an organization. |
| E-Mail Address Policies | Manage e-mail address policies in an organization. |
| Exchange Connectors | Manage
routing group connectors, delivery agent connectors, and other
connectors used for transport. This role doesn't enable administrators
to manage Send and Receive connectors. |
| Federated Sharing | Manage cross-forest and cross-organization sharing in an organization. |
| Information Rights Management | Manage the Information Rights Management (IRM) features of Exchange in an organization. |
| Journaling | Manage journaling configuration in an organization. |
| Legal Hold | Configure whether data within a mailbox should be retained for litigation purposes in an organization. |
| Mail Enabled Public Folders | Configure whether individual public folders are mail-enabled or mail-disabled in an organization. |
| Mail Recipient Creation | Create mailboxes, mail users, mail contacts, distribution groups, and dynamic distribution groups in an organization. |
| Mail Recipients | Manage
existing mailboxes, mail users, mail contacts, distribution groups, and
dynamic distribution groups in an organization. This does not enable
administrators to create these recipients. |
| Mail Tips | Manage mail tips in an organization. |
| Mailbox Import Export | Import or example mailbox content as well as to purge unwanted content. |
| Mailbox Search | Search the content of one or more mailboxes in an organization. |
| Message Tracking | Track messages in an organization. |
| Monitoring | Monitor the Microsoft Exchange services and component availability in an organization. |
| Move Mailboxes | Move mailboxes between servers in an organization and between servers in the local organization and another organization. |
| Organization Client Access | Manage Client Access server settings in an organization. |
| Organization Configuration | Manage basic organization-wide settings. This role type doesn't include the permissions included in the Organization Client Access or Organization Transport Settings role types. |
| Organization Transport Settings | Manage organization-wide
transport settings, including system messages, site configuration, and
so forth. This role doesn't enable administrators to create or manage
transport Receive or Send connectors, queues, hygiene, agents, remote and accepted domains, or rules. |
| Public Folder Replication | Start and stop public folder replication in an organization. |
| Public Folders | Manage
public folders in an organization. This role type doesn't enable you to
manage whether public folders are mail-enabled or to manage public
folder replication. |
| Recipient Policies | Manage recipient policies, such as provisioning policies, in an organization. |
| Retention Management | Manage retention policies in an organization. |
| Role Management | Manage management role groups, role assignment policies, management roles,
role entries, assignments, and scopes in an organization. Users
assigned roles associated with this role type can override the Managed
By property for role groups, configure any role group, and add or remove
members to or from any role group. |
| Security Group Creation and Membership | Create and manage security groups and their memberships in an organization. |
| Send Connectors | Manage transport Send connectors in an organization. |
| Support Diagnostics | Perform advanced diagnostics under the direction of Microsoft support services. |
| Transport Agents | Manage transport agents in an organization. |
| Transport Hygiene | Manage antivirus and antispam features in an organization. |
| Transport Rules | Manage transport rules. |
| UM Mailboxes | Manage the unified messaging (UM) configuration of mailboxes and other recipients. |
| UM Prompts | Create and manage custom UM voice prompts. |
| Unified Messaging | Manage
Unified Messaging servers. This role doesn't enable administrators to
manage UM-specific mailbox configuration or UM prompts. |
| Unscoped Role Management | Create and manage unscoped top-level management roles. |
| User Options | View the Microsoft Outlook Web Access options for users. |
| View-Only Configuration | View all of the nonrecipient Exchange configuration settings. |
| View-Only Recipients | View
the configuration of recipients, including mailboxes, mail users, mail
contacts, distribution groups, and dynamic distribution groups. |
Table 2. Management Roles with a Server Scope
| MANAGEMENT ROLE | ENABLES MANAGERS TO… |
|---|
| Database Copies | Manage mailbox database copies on individual servers. |
| Databases | Create, manage, mount, and dismount mailbox and public folder databases on individual servers. |
| Exchange Server Certificates | Create, import, export, and manage Exchange server certificates on individual servers. |
| Exchange Servers | Manage Exchange server configuration on individual servers. |
| Exchange Virtual Directories | Manage
Autodiscover, Outlook Web App, Exchange ActiveSync, offline address
book (OAB), Windows PowerShell, and Web administration interface virtual
directories on individual servers. |
| Migration | Migrate mailboxes and mailbox content into or out of a server. |
| POP3 and IMAP4 Protocols | Manage
Post Office Protocol version 3 (POP3) and Internet Message Access
Protocol version 4 (IMAP4) configuration, such as authentication and
connection settings, on individual servers. |
| Receive Connectors | Manage transport Receive connector configuration, such as size limits on an individual server. |
| Transport Queues | Manage transport queues on an individual server. |
Table 3. Management Roles with a User Scope
| MANAGEMENT ROLE | ENABLES INDIVIDUAL USERS TO… |
|---|
| MyBaseOptions | View and modify the basic configuration of their own mailbox and associated settings. |
| MyContactInformation | Modify their contact information. This information includes their address and phone numbers. |
| MyDistributionGroupMembership | View
and modify their membership in distribution groups in an organization,
provided that those distribution groups allow manipulation of group
membership. |
| MyDistributionGroups | Create, modify, and view distribution groups and modify, view, remove, and add members to distribution groups they own. |
| MyProfileInformation | Modify their name. |
| MyRetentionPolicies | View their retention tags, and view and modify their retention tag settings and defaults. |
| MyVoiceMail | View and modify their voice mail settings. |
Role assignment policies grant users permissions
to configure their Outlook Web App options and perform limited
management tasks. When you install Exchange server, the setup process
creates the Default
Role Assignment Policy and sets this as the default for all new
mailboxes. This policy grants users the MyBaseOptions,
MyContactInformation, MyDistributionGroupMembership, and MyVoiceMail roles, but it does not grant users the MyDistributionGroups and MyProfileInformation roles.
You can create other role assignment policies as well. One way
to manage existing policies is to use the Exchange Control Panel. When
you are managing the organization and Users & Groups is selected in
the left pane, you can select the User Roles
tab to work with existing role assignment policies. Double-click the
related entry to configure role assignment. To grant a role to users,
select the related check box. To not grant a role to users, clear the
related check box. Click Save to save your changes.
2. Creating and Managing Role Groups
By default, members of the
Organization Management group can manage any role group in the Exchange
organization. Anyone designated as a manager of a role group can manage
the role group. You assign a user as a manager of a role group using the
–ManagedBy parameter, which can be set when you create or modify a role
group.
In the Exchange Management Shell, commands you use to work with role groups include the following:
Get-RoleGroup Displays a complete or filtered list of role groups. When specifying filters, use parentheses to define the filter, such as –Filter { RolegroupType –Eq "Linked" }.
Get-RoleGroup [-Identity RoleGroupName] {AddtlParams}
{AddtlParams}
[-DomainController FullyQualifiedName] [-Filter {LinkedGroup |
ManagedBy | Members | Name | RoleGroupType | DisplayName}]
[-Organization OrganizationID] [-ReadFromDomainController
{$True|$False}] [-ResultSize Size] [-SortBy {LinkedGroup |
ManagedBy | Members | Name | RoleGroupType | DisplayName}]
New-RoleGroup
Creates a new role group. When specifying roles, you must use the full
role name, including spaces. Enclose the role names in quotation marks
and separate each role with a comma, such as "Mail Recipient Creation", "Mail Recipients", "Recipient Policies".
New-RoleGroup -Name RoleGroupName [-Roles Roles]
[-ManagedBy ManagerIds] [-Members MemberIds] {AddtlParams}
{AddtlParams}
[-CustomConfigWriteScope Scope] [-CustomRecipientWriteScope Scope]
[-Description Description] [-DisplayName DisplayName]
[-DomainController FullyQualifiedName] [-Organization
OrganizationID] [-RecipientOrganizationalUnitScope Scope]
[-SamAccountName PreWin2000Name]
[-LinkedCredential Credential] [-LinkedDomainController LinkedDC]
[-LinkedForeignGroup LinkedGroup]
Remove-RoleGroup
Removes a role group. If a role group has designated managers, you must
be listed as a manager to remove the role group or use the
–BypassSecurityGroupManagerCheck parameter and be an organization
manager.
Remove-RoleGroup -Identity RoleGroupName {AddtlParams}
{AddtlParams}
[-BypassSecurityGroupManagerCheck {$True|$False}]
[-DomainController FullyQualifiedName]
Set-RoleGroup
Configures role group properties. If you specify managers, you must
provide the complete list of managers because the list you provide
overwrites the existing list of managers. To manage role assignment, see
the Section 4 section later in the article.
Set-RoleGroup -Identity RoleGroupName [-ManagedBy ManagerIds]
[-Name NewName] {AddtlParams}
{AddtlParams}
[-BypassSecurityGroupManagerCheck {$True|$False}]
[-Description Description] [-DomainController FullyQualifiedName]
[-LinkedCredential Credential] [-LinkedDomainController LinkedDC]
[-LinkedForeignGroup LinkedGroup]
You use New-RoleGroup to create role
groups. When you create a role group, you must specify the group name
and the roles assigned to the group. You should also specify the
managers and members of the group. The managers and members can be
individual users or groups identified by their display name, alias, or
distinguished name. If you want to specify more than one manager or
member, separate each entry with a comma. In the following example, you
create the Special Recipient Management role group to allow members of
the group to manage (but not create) recipients:
New-RoleGroup -Name "Special Recipient Management"
-Roles "mail recipients", "recipient policies"
-ManagedBy "juliec", "tylerk", "ulij"
-Member "mikeg", "lylep", "rubyc", "yus"
By default, the scope of the
role group is the organization. You can also set a specific scope for an
organizational unit. In the following example, you create a role group
named LA Recipient Management and set the scope to the LA Office
organizational unit to allow members of the group to manage recipients
in the LA Office organizational unit:
New-RoleGroup -Name "LA Recipient Management"
-Roles "mail recipient creation", "mail recipients", "recipient policies"
-ManagedBy "LA Managers" -Member "LA Help Desk"
-RecipientOrganizationalUnitScope "LA Office"
A linked role group links the
role group to a universal security group in another forest. Creating a
linked role group is useful if your Exchange servers reside in a
resource forest and your users and managers reside in a separate user
forest. If you create a linked role group, you can't add members
directly to it. You must add the members to the universal security group
in the foreign forest.
When you are creating linked role
groups, you use the –LinkedDomainController parameter to specify the
fully qualified domain name or IP address of a domain controller in the
foreign forest. This domain controller is used to get security
information for the foreign universal security group, which is specified
by the –LinkedForeignGroup parameter. If you use the
–LinkedDomainController parameter, you must specify a foreign universal
security group with the –LinkedForeignGroup parameter, and you can't use
the –Members parameter. Optionally, you can use the –LinkedCredential
parameter to specify credentials to use to access the foreign forest. To
pass in the credentials, you'll want to use a Credential object.
In the following example, you
create a linked role group that enables the members of the Chicago
Managers universal security group to manage recipients located in the
Chicago office:
$cred = Get-Credentials
New-RoleGroup -Name "Chicago Recipient Managers"
-LinkedDomainController corpserver26.cpusers.cpandl.com
-LinkedCredential $cred -LinkedForeignGroup "Chicago Managers"
-CustomRecipientWriteScope "Chicago Recipients" -Roles "mail recipients"
In this example, Chicago Managers
is a group created in the user forest and you are logged on to the
resource forest. When PowerShell reads the Get-Credentials command, you
are prompted for the user name and password for the user forest.
Role
groups are created as universal security groups in the Active Directory
database. In Active Directory Users And Computers, you'll find role groups in the Microsoft Exchange
Security Groups container. After you create a role group, you can
manage it using Active Directory Users And Computers or the Exchange
Management Shell. The management tasks you can perform depend on which
tool you are using. In Active Directory Users And Computers, you can
manage group membership, rename the group, or delete the group.
Additional tasks you can perform when you use the Exchange Management
Shell include setting managers and modifying role assignments.
Note:
Although you can edit a group's
managers or other attributes in Active Directory Users And Computers,
you shouldn't do this because some values are linked and set differently
than you'd expect. For example, you set the ManagedBy property to the
distinguished name of the first manager and define additional managers
using the msExchCoManagedByLink property.
You can list available role
groups using Get-RoleGroup. If you type Get-RoleGroup at the Exchange
Management Shell prompt, you see a list of all role groups defined in
the Exchange organization to which you are connected. You can filter the
output in a variety of ways using standard PowerShell filtering
techniques. Get-RoleGroup also has a –Filter parameter that you can use
to filter the output according to specific criteria you set. The
following example looks for a role group named CS Recipient Management
and lists all its properties:
get-rolegroup -filter {Name -eq "CS Recipient Management"} |
format-list
You can use Set-RoleGroup to
change the name of a role group or to define a new list of managers. To
delete a role group, use Remove-RoleGroup.
