Pages

Thursday, 2 April 2015

Setting up a Role Assignment Policy in Exchange 2013

New management roles are based on existing roles. When you create a role, an existing role and its management role entries are copied to the new role. The existing role becomes the parent to the new child role. You must always choose a role that contains all the cmdlets and parameters you need to use, and then remove the ones you don't want. Child roles can't have management role entries that don’t exist in the parent role.

New-ManagementRole -Parent "Mail Recipients" -Name "Seattle Mail Recipients"

** Note: I got the following error when attempting to run this: "You don't have access to create a new management role under the "Reset Password" management role. You must have enabled a delegating role assignment to the management role or its parent in the hierarchy without a scope restriction."

After you create your role, you need to change the role's entries. You can remove an entire role entry, which removes access to the associated cmdlet completely. Or, you can remove parameters from a role entry to remove access to those specific parameters on the associated cmdlet.

Add-ManagementRoleEntry <child role name>\<cmdlet>

You can't add new role entries or parameters on role entries unless they exist in the parent role.

Management role scopes determine the objects made available to a user to view or change using the role entries configured.

New-ManagementScope -Name "Mailboxes in Sales OU" -RecipientRestrictionFilter { RecipientType -eq 'UserMailbox' } -RecipientRoot "contoso.com/Sales OU"

** Note: There are many different types of filters - for more informaion see here: https://technet.microsoft.com/en-GB/library/dd298043%28v=exchg.150%29.aspx **

The next step is to create and configure a role is to assign it to a role assignee (Role Assignment Policy).

New-RoleAssignmentPolicy <assignment policy name> -Roles <roles to assign>

We then want to apply our newly created scope to our role assignment policy:
Set-ManagementRoleAssignment "Redmond Recipient Administrators Assignment" -CustomRecipientWriteScope "Redmond Recipients"

No comments:

Post a Comment