Wednesday, 4 March 2015

Setting up Role Based Access Control with Exchange 2013

Exchange by default provides several pre-made management role groups:

Delegated Setup: Allows the user to deploy an Exchange installation - although not administer it.

Discovery Management: Allows the user to perform a search within all users mailboxes - this is often applied when doing auditing.

Help Desk: Allows the user to modify variables that are often required by a support team - for example changing a users telephone number.

Hygiene Management: Allows the user to manage the anti-malware and anti-spam settings related to Exchange.

Organizational Management: Provides the user with complete administrative control of Exchange.

Public Folder Management: Allows the user to manage public folders.

Recipient Management: Allows the user to create, delete and modify recipients.

Records Management: Allows the user to manage settings related to he compliance features e.g. auditing, rentation policies etc.

Server Management: Allows the user to work on the server management level only (e.g. managing recourse allocation) and hence not allowing them to work on the organizational level.

UM Management: Allows the user to manage all aspects of Unified Messaging.

You can get an overview of all of these (and their assosiated management roles) by using the "Get-RoleGroup" commands:


In order to see who is currently in a management role group you can use EMC:
Get-RoleGroupMember "Discovery Management"


Get-RoleGroupMember "Organization Administrators" -ReadFromDomainController
You could also check the corrosponding securiy group in AD under the "Microsoft Exchange Sercurity Groups" OU.

And to view a list of all available management roles:
Ideally what we want to do is create a custom role group that we can then assign to a user(s):
New-RoleGroup -Name MyCustomRoleGroup -Roles "Team Mailboxes" -Members user1,user2,user3 -ManagedBy "adminuser"
and finally we will assign an additional user to our custom role group:
Add-RoleGroupMember MyCustomRoleGroup -Member user4


Post a Comment