Configuring Exchange 2010 RBACs to support regional groups of administrators to manage their own recipients in their own mailbox databases.
The regional administrators will not be allowed to perform a “Remove” command from the EMC or EMS. All user accounts, contacts, and groups will be deleted from within the ADUC.
Note: These examples only show some of options available when creating RBACs. There are many ways to configure RBACs, so make sure you have a good understanding of all the options. In other words, the following should not be your only reference.
Step 01 – Create the Management Scopes to restrict database access by region.
New-ManagementScope NA-MailDBs -DatabaseRestrictionFilter {Name -like "NAMailDB*"}
New-ManagementScope EU-MailDBs -DatabaseRestrictionFilter {Name -like "EUMailDB*"}
New-ManagementScope AU-MailDBs -DatabaseRestrictionFilter {Name -like "AUMailDB*"}
Step 02 – Create new custom roles based on some of the roles included in the default Recipient Management role group.
New-ManagementRole -Name "Custom Mail Recipient Creation" -Parent "Mail Recipient Creation" New-ManagementRole -Name "Custom Mail Recipients" -Parent "Mail Recipients" New-ManagementRole -Name "Custom Distribution Groups" -Parent "Distribution Groups" New-ManagementRole -Name "Custom Move Mailboxes" -Parent "Move Mailboxes"
Step 03 – Delete any Role Entries in the custom roles that contain “Remove” in the command except for the “Custom Move Mailboxes” role.
Get-ManagementRoleEntry "Custom Mail Recipient Creation*" | where { $_.name -like "Remove-*" } | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry "Custom Mail Recipients*" | where { $_.name -like "Remove-*" } | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry "Custom Distribution Groups*" | where { $_.name -like "Remove-*" } | Remove-ManagementRoleEntry -Confirm:$false
Step 04 – Verify/Review the role entries for each of the custom roles.
Get-ManagementRoleEntry "Custom Mail Recipient Creation*" | ft Name Get-ManagementRoleEntry "Custom Mail Recipients*" | ft Name Get-ManagementRoleEntry "Custom Distribution Groups*" | ft Name Get-ManagementRoleEntry "Custom Move Mailboxes*" | ft Name
Step 05 – Create the new Role Groups to include a database scope, an OU scope, and the custom roles.
New-RoleGroup -Name "Custom Recipient Mgmt - NA" -customConfigWriteScope "NA-MailDBs" -RecipientOrganizationalUnitScope "contoso.com/Resources/NA" -Roles "Custom Mail Recipient Creation", "Custom Mail Recipients", "Custom Distribution Groups", "Custom Move Mailboxes" New-RoleGroup -Name "Custom Recipient Mgmt - EU" -customConfigWriteScope "EU-MailDBs" -RecipientOrganizationalUnitScope "contoso.com/Resources/EU" -Roles "Custom Mail Recipient Creation", "Custom Mail Recipients", "Custom Distribution Groups", "Custom Move Mailboxes" New-RoleGroup -Name "Custom Recipient Mgmt - AU" -customConfigWriteScope "AU-MailDBs" -RecipientOrganizationalUnitScope "contoso.com/Resources/AU" -Roles "Custom Mail Recipient Creation", "Custom Mail Recipients", "Custom Distribution Groups", "Custom Move Mailboxes"
Step 06 – Add the admin user accounts to the new role groups.
Step 07 – Test and confirm.