RBAC YAY!!!


OK not yay ….. its all good until you have to go outside of the built in groups😉
In case you don’t know “Role Based Access Control” is the new permission model for exchange 2010, it allows you to be granular and specific in your delegation of permissions, which is a great thing but takes a good deal of forethought to get properly configured.  image
Not for the feint of heart, in fact wouldn’t recommend it unless you have a REAL need it. For most people the defaults(listed on the right) are good enough

The good news is once you do you can simply put your admins into the applicable groups.

So as I’m trying to figure this out here is what I came up with for syntax to give “Site 1 Mail Admins” management permission for users in OU “Site 1”

New-RoleGroup -name “OKC MAIL ADMINS” -Members “Site1 MAIL ADMINS” -Roles “Mail Recipients”, “User options”, “Mail Recipient Creation”, “Mail Enabled Public Folders”, “Distribution Groups”,” –RecipientOrganizationalUnitScope “ex2010/Lab Users/Site 1”

here is the break down

So now I can add my admins to that group and they can Manage users and distro groups in that OU.
I do want to point out this is specific to exchange and is not the same as AD permissions.

2 thoughts on “RBAC YAY!!!

  1. I’m trying to do the exact setup you list in your PowerShell command. However, in ECP, I have no ability to add or edit distribution groups. If I remove the –RecipientOrganizationalUnitScope switch, then I can edit/create distribution groups…but for the entire organization. I need to have a scoped OU. Does this work for you? Did you do anything else? I added the Security Group Creation and Membership Role to no avail. Any help would be greatly appreciated!

    • I had some issues with scope also, what I had to do was do a Get-Get-OrganizationalUnit “NameOfOU” so that i had the EXACT name, copied that and then pasted into the command. other than that I didnt do anything in addition to the blog post.

      Keep in mind this makes it so that Members of the group manage objects in the OU, not the other way arround. (that may be obvious but I there has been some confusion there)

      Not sure how your environment is but its also important to note the RBAC is “runnin as” a memgber of “exchange trusted subsystems” so be sure in ad you havent removed access to the OU in question from that group.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s