Enable users to manage distribution groups without new- or remove- Cmdlets using Management roles

In this post I will show you how to create a management role and assign it to a group. We will remove the new- and remove Cmdlets from the Management role and make sure that it works. This will enable the users to manage distribution groups without the permission to create or remove any distribution groups.

You might want to give the users permission to manage the groups they are managers of without the possibility to create new groups or remove current groups. This will give you a more controlled distribution group management without new groups popping up. One customer of mine use a distribution group administrator for each department that is instructed and responsible for creation and removal of groups concerning that users department.

The Management role

The first thing we need to do is to create a new Management Role. We do this since we do not want to edit a built-in management role. What we can do, is base our new Management Role on one of the built-in Roles, by doing that we will populate our new Role with the same Management Roles Entries.

To create a new Management Role and use the following cmdlet:
New-ManagementRole -Name "MyDistributionGroupsAdmins" -Parent MyDistributionGroups

Next we will remove the new- and remove-.cmdlets from our new Management Role. But first we will check the cmdlets:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\New-*"

When we a re sure that these cmdlets are the once we want to remove run the following cmdlet:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\New-*" | Remove-ManagementRoleEntry

We will do the same for the Remove- cmdlets:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\Remove-DistributionGroup

We only want to remove one of the cmdlets:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\Remove-DistributionGroup” | Remove-ManagementRoleEntry

Now we have a new Management Role without the New- and Remove- cmdlets. Next we want to assign the Role to our users is some way. I will explain three different ways of doing this.

Assignment using Management Role Group

When we use this method we will create a Role Group, add members and managers to the group and add our previously created Management Role to the Group. A Management Role Group also includes a Universal Security Group that s created during the process.

I am not going to go through exactly how Management Role Groups work , more information on this can be found here.

When creating the Role Group use the following command:
New-RoleGroup -Name "Distribution Group Managers" -Roles "MyDistributionGroupsAdmins" -Members Test10, Test11,Test12 -ManagedBy Test12

This creates a new Role Group, adds the users Test10 and Test11 as members and the user Test12 as manager. Test12 will get both the rights that the Role Group incudes and he will have the permission to manage the group.

To be able to confirm that our configuration works we need to create a Distribution Group and set user Test12 as owner, I use the following command to achieve this:
New-DistributionGroup -Name "Test Group 1000" -OrganizationalUnit "sundis.local/Test/users" -SAMAccountName "TestGroup1000" -Type "Distribution" -ManagedBy Test12

Now we can log on to the ECP as our manager, Test12 in my case, and see if our configuration work. Open ECP, log in and navigate to Groups. Select the group you want to manage in the right column Public Groups I Own and click Details or double click it.

Add a user by expanding Membership and click Add.

Select the mailboxes you want to add to the group, click Add and Ok.

Check that your changes looks ok and then click Save.

You should now be back at ECP and our test is finished and successful.

Assignment using a new Management Role Assignment Policy

The second option I am going to explain is the use of a Management Role Assignment Policy. Using a policy enable you to group a number of Management Roles together to a policy and configure mailboxes to use this policy. Again, I will not do any deep dive in Management Role Assignment Policies, more information on this can be found here.

We will use the same Management Role as we created above and start with creating a new Policy. Note that we also include a role called MyBaseOptions. If we leave this role out it will prevent users who are assigned this policy from using ECP and OWA options. Use the cmdlet below to create the policy:
New-RoleAssignmentPolicy "Distribution Group Admins" -Roles MyBaseOptions, MyDistributionGroupsAdmins

If you want to make this Policy default add –IsDefault as in the following example:
New-RoleAssignmentPolicy "Distribution Group Admins" -Roles MyBaseOptions, MyDistributionGroupsAdmins –IsDefault

When the Policy is created you can add it to a mailbox with the following cmdlet:
Set-Mailbox Test10 -RoleAssignmentPolicy "Distribution Group Admins"

And  a simple Get-Mailbox to check the results:
Get-Mailbox Test10 | fl Role*

Again, lets check this using the ECP for mailbox Test10. For this test I create a new Distribution Group called Test Group 1001 and add Test 10 as manager using the following cmdlet:
New-DistributionGroup -Name "Test Group 1001" -OrganizationalUnit "sundis.local/Test/users" -SAMAccountName "TestGroup1001" -Type "Distribution" -ManagedBy Test10

In ECP, navigate to Groups. Select the group you want to manage in the right column Public Groups I Own and click Details or double click it.

Add a user by expanding Membership and click Add.

Select the mailboxes you want to add to the group, click Add and Ok.

Review the changes you have made and click Save when finished.

This will take you back to ECP and we are finished with this part.

Assignment by customizing the Default Management Role Assignment Policy

Last but not least we will add our Role to  the Default Management Role Assignment Policy. To achieve this we create a new Management Role Assignment by running this cmdlet:
New-ManagementRoleAssignment -Name "Default Role Assignment Policy – MyDistributionGroupsAdmins" -Role MyDistributionGroupsAdmins -Policy "Default Role Assignment Policy"

Now all the mailboxes with the Default Role Assignment Policy configured will have the ability to manage the distribution Groups they are managers for. Since I like screenshots I will make sure this is ok. First create a new Distribution Group:
New-DistributionGroup -Name "Test Group 1002" -OrganizationalUnit "sundis.local/Test/users" -SAMAccountName "TestGroup1002" -Type "Distribution" -ManagedBy Test11

Let’s also make sure that the mailbox Test11 have the Default Role Assignment Policy set:
Get-Mailbox Test11 | fl Role*

Now we can log in to ECP and make sure that we can manage Test Group 1002. Select the group you want to manage in the right column Public Groups I Own and click Details or double click it.

Add a user by expanding Membership and click Add.

Select the mailboxes you want to add to the group, click Add and Ok.

Review the changes you have made and click Save when finished.

All done, the Default Policy is altered and tested.

I hope you like the post and find it useful. Thanks for reading and let me know if you have any questions!

Quick Tip: View the database size and mailbox count for mailbox databases

In this quick tip post I will show you how to retrieve mailbox database size and mailbox count for one or all mailboxes. Lets start with mailbox database size.

Mailbox database size

This command is quite simple and utilizes the –Status parameter in the Get-MailboxDatabase cmdlet:

Get-MailboxDatabase –Identity <MailboxDatabaseName> -Status | Select ServerName,Name,DatabaseSize

To retrieve the size of all mailbox databases:

Get-MailboxDatabase -Status | Select ServerName,Name,DatabaseSize

And if you want to sort this on DatabaseSize:

Get-MailboxDatabase -Status | Select ServerName,Name,DatabaseSize | Sort-Object DatabaseSize –Descending

And with sorting on the mailbox database name:

Get-MailboxDatabase -Status | Select ServerName,Name,DatabaseSize | Sort-Object Name –Descending

Mailbox count for mailbox databases

Now we will focus on counting mailbox databases. This command is also quite easy to use.

Get-Mailbox -ResultSize:Unlimited | Group-Object -Property:Database | Select-Object Name,Count | Sort-Object -Property:Count –Descending

Let’s break this up a bit… The first part is a ordinary Get-Mailbox cmdlet with -ResultSize:Unlimited to include all mailboxes:

Get-Mailbox -ResultSize:Unlimited

Then we group the objects from the result of the Get-Mailbox cmdlet on Database to be able to count based on each mailbox database:

Group-Object -Property:Database

Moving on with a selection of the properties we want to display including a count:

Select-Object Name,Count

And finally we sort the results based on the count property to get it in a nice list with the mailbox database with most mailboxes on top:

Sort-Object -Property:Count -Descending

One-liner to export mailbox size, quotas and more to a CSV file

I got a question form a friend if I could help and sort out a command that exported mailbox size and quotas to a CSV file  for him. This should work for both Exchange Server 2007 and 2010, here is how we did it:

First run a get mailbox command:

Get-Mailbox -ResultSize Unlimited

Then we add a pipe and a number of attributes we want to get:

Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, IssueWarningQuota, ProhibitSendQuota

We continue with adding two that performs Get-MailboxStatistics to receive attributes from the mailbox that the Get-Mailbox Cmdlet does not give us:

@{label=”TotalItemSize(MB)”;expression={(Get-MailboxStatistics $_).TotalItemSize.Value.ToMB()}} and @{label=”ItemCount”;expression={(Get-MailboxStatistics $_).ItemCount}}

Then we add another attribute that Get-Mailbox gives us:

Database

And to finish it off we export the results to a CSV file after another pipe:

| Export-Csv “UserMailboxSizes.csv” –NoTypeInformation

And the complete command again with all parts combined together:

Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, IssueWarningQuota, ProhibitSendQuota, @{label="TotalItemSize(MB)";expression={(Get-MailboxStatistics $_).TotalItemSize.Value.ToMB()}}, @{label="ItemCount";expression={(Get-MailboxStatistics $_).ItemCount}}, Database | Export-Csv "C:\Scripts\UserMailboxSizes.csv" -NoTypeInformation

This command can of course be modified and you can add other attributes or functions. In the following example I use where to get only the mailboxes that does not use the database default quota.

Where {$_.UseDatabaseQuotaDefaults -eq $false

And the complete command:

Get-Mailbox -ResultSize Unlimited | Where {$_.UseDatabaseQuotaDefaults -eq $false | Select-Object DisplayName, IssueWarningQuota, ProhibitSendQuota, @{label="TotalItemSize(MB)";expression={(Get-MailboxStatistics $_).TotalItemSize.Value.ToMB()}}, @{label="ItemCount";expression={(Get-MailboxStatistics $_).ItemCount}}, Database | Export-Csv "C:\Scripts\UserMailboxSizes.csv" -NoTypeInformation

There you go, enjoy and do not hesitate to let me know if you have any questions!

A fix for the “Close all dialogs” issue with EMC in combination with IE9 has been released!

I usually do not write about news or hotfix releases on my blog, mostly because I find it a bit unnecessary since you all probably follow the Microsoft Exchange Team Blog. But for this one I will make an exception.

Microsoft just released a fix for the problem with interoperability between Exchange Management Console and Internet Explorer 9 that many has seen since the release of IE9. When IE9 is installed and you try to close the EMC you will receive the following error message:

You must close all dialog boxes before you can close Exchange Management Console.

Neither the hotfix or the KB article is available to the public yet, but it can be requested from Microsoft support. The hotfix that you need to request is for the KB 2624899, more information on how to contact Microsoft Support follows…

 

“ How do I call support? Will I need to pay for this?

In order to reach Microsoft support, you can find the correct support contact for your location here. Microsoft does not charge for hotfixes or support cases related to product bugs. Both IE and Exchange support teams should be able to get this patch for you.  “

 

More information regarding this can be found here!

Script to configure Exchange Server 2010 for SSLOffloading

When using a hardware load balancer you sometimes come across the need of configuring Exchange Server to support SSLOffloading. In my case I use a Citrix Netscaler to publish Exchange Server in a scenario where I have enabled SSLOffloading in the Citrix Netscaler. So, in order for this to work configuration changes needs to be done in Exchange Server 2010.

The script below configures both Exchange 2010 RTM and SP1, it also configures basic authentication in IIS for ECP, EWS and OWA.

#
# This script will configure the Exchange 2010 RTM and SP1 Client Access Servers for SSLOffload
# It applies when using Hardware loadBalancer with SSLOffloading enabled
#
# Created by Martin Sundström 2011-09-26
#
#---------------------------------------------------------------------------------------------------------------------------------------------------------
Write-Host -f DarkGray "This script will configure the Exchange 2010 RTM and SP1 Client Access Servers for SSLOffload"

# Set SSLOffload registry key for OWA 
Write-Host -f DarkGray -f DarkGray "Setting SSLOffload registry key for OWA..."

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD 

Write-Host -f DarkGray -f DarkGray "Done!"
Write-Host -f DarkGray -f DarkGray ""


# Assign Static Ports"
Write-Host -f DarkGray "Assigning static ports..."

# Assign Static Port for MSExchangeAB 
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB -Name Parameters -Type Directory
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters -Name RpcTcpPort -Value 60000 -PropertyType String 

# Assign Static Port for MSExchangeRPC 
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC -Name ParametersSystem -Type Directory
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem -Name "TCP/IP Port" -PropertyType DWORD -Value 59532

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""


# Disable RequireSSL on websites
Write-Host -f DarkGray "Disabling RequireSSL on websites..."

."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Autodiscover" -commitPath:APPHOST -section:access -sslFlags:None 
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/ecp" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/EWS" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Microsoft-Server-ActiveSync" -commitPath:APPHOST -section:access -sslFlags:None 
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/owa" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/rpc" -commitPath:APPHOST -section:access -sslFlags:None 

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""


# Configure Outlook Anywhere
Write-Host -f DarkGray "Configure Outlook Anywhere"

$enabled = Get-OutlookAnywhere -Identity "$($env:COMPUTERNAME)\RPC*" 
	
If ($enabled) 
{
	Set-OutlookAnywhere -Identity "$($env:COMPUTERNAME)\RPC*" -SSLOffloading $true
} 
Else 
{
	Write-Host -f DarkGray "Configure Outlook Anywhere and remember to check the box to enable SSL Offloading"
} 

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""
	

# This part of the script only applies to Exchange Server 2010 RTM, a version check will be made:
$VersionCheck = ((get-exchangeserver -identity ($env:COMPUTERNAME)).AdminDisplayVersion | Out-String ).StartsWith("Version 14.1")

If ($VersionCheck = $False)
{
	# Configure web.config files
	Write-Host -f DarkGray "Configuring web.config files for RTM..."

	$path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path
	(Get-Content $path\web.config) | Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}  | Set-Content $path\web.config
	
	$path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path 
	(Get-Content $path\web.config) | Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config  

	Write-Host -f DarkGray "Done!"
	Write-Host -f DarkGray ""
}


# Run IISReset
Write-Host -f DarkGray "Running `"iisreset`" to complete the process..."

iisreset

Write-Host -f DarkGray ""

Feel free to use and edit as you need and don’t hesitate to drop a comment if you find any errors or have any questions!

Exchange Server Version Numbers

A list of all versions of Exchange server released so far including version numbers.

Friendly name	Version number
Microsoft Exchange Server  4.0	4.0.837
Microsoft Exchange Server  4.0 (a)	4.0.993
Microsoft Exchange Server  4.0 SP1	4.0.838
Microsoft Exchange Server  4.0 SP2	4.0.993
Microsoft Exchange Server 4.0 SP3	4.0.994
Microsoft Exchange Server 4.0 SP4	4.0.995
Microsoft Exchange Server 4.0 SP5	4.0.996
Microsoft Exchange Server 5.0	5.0.1457
Microsoft Exchange Server 5.0 SP1	5.0.1458
Microsoft Exchange Server 5.0 SP2	5.0.1460
Microsoft Exchange Server 5.5	5.5.1960
Microsoft Exchange Server 5.5 SP1	5.5.2232
Microsoft Exchange Server 5.5 SP2	5.5.2448
Microsoft Exchange Server 5.5 SP3	5.5.2650
Microsoft Exchange Server 5.5 SP4	5.5.2653
Microsoft Exchange 2000 Server	6.0.4417
Microsoft Exchange 2000 Server (a)	6.0.4417
Microsoft Exchange 2000 Server SP1	6.0.4712
Microsoft Exchange 2000 Server SP2	6.0.5762
Microsoft Exchange 2000 Server SP3	6.0.6249
Microsoft Exchange 2000 Server post-SP3	6.0.6487
Microsoft Exchange 2000 Server post-SP3	6.0.6556
Microsoft Exchange 2000 Server post-SP3	6.0.6603
Microsoft Exchange 2000 Server post-SP3	6.0.6620.5
Microsoft Exchange 2000 Server post-SP3	6.0.6620.7
Microsoft Exchange Server 2003	6.5.6944
Microsoft Exchange Server 2003 SP1	6.5.7226
Microsoft Exchange Server 2003 SP2	6.5.7638
Microsoft Exchange Server 2003 post-SP2	6.5.7653.33
Microsoft Exchange Server 2003 post-SP2	6.5.7654.4
Microsoft Exchange Server 2007	8.0.685.24 or 8.0.685.25
Microsoft Exchange Server 2007 SP1	8.1.0240.006
Microsoft Exchange Server 2007 SP2	8.2.0176.002
Microsoft Exchange Server 2007 SP3	8.3.0083.006
Microsoft Exchange Server 2010	14.00.0639.021
Microsoft Exchange Server 2010 SP1	14.01.0218.015

Manage full access permissions on mailboxes in Exchange 2010

This is the updated version with a few additions and corrections based on both comments and new features added by Microsoft since my first post.

Grant permissions on a single mailbox

Use the following command to grant access to just one mailbox:

Add-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Note: the User parameter can in fact be either users or groups, the parameter name “User” is a bit misleading!

Example:

Add-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all

Or If I want to add the security Group Group2:

Add-MailboxPermission -Identity "Test" -User Group2 -AccessRights Fullaccess -InheritanceType all

Grant permissions on all mailboxes

Use the following command to grant access to all mailboxes:

Get-Mailbox | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: In the screenshot below I received a message saying that Administrator already have access to the mailbox Test (Yellow text message).

Grant permissions on mailboxes using Where

We might as well add a where to the command while we are at it. With this command we grant access to all mailboxes in a specific OU:

Get-Mailbox | Where { $_.OrganizationalUnit -eq “” } | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Where { $_.OrganizationalUnit -eq “sundis.local/Test/Users” } | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

 

Remove permissions on a single mailbox

Quite simple, just change Add to Remove:

Remove-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Remove-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all

Remove permissions on all mailboxes

Well you have probably figured this one out already, but I will show it to you anyway:

Get-Mailbox | Remove-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Remove-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: As you can se below, using this command will remove the users full access to its own mailbox. That is not good, this command should be used with care…

How to configure the rights assignment to apply on new mailboxes automatically

This can be done using one of three methods, you can add permissions using EMS or ADSIEdit.

Using EMS method 1 (recommended)

With this method we grant permissions on the databases container in the configuration Naming context using the following PowerShell command:

Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>” -User <UserorGroupIdentity> -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As -inheritanceType Descendents

If we brake this up a bit we can se that the Identity is in fact the Distinguished Name of the Databases container:

“CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>”

The InheritedObjectType parameter specifies what kind of object inherits this access control entry, in this case it is only Exchange Mailbox Databases:

-InheritedObjectType msExchPrivateMDB

Then we grant Receive-As permissions. Granting Receive As and  Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes:

-AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

And finally we set the inheritance type to Descendents:

-inheritanceType Descendents

Example:

Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=sundis,DC=local” -User test8 -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
 -inheritanceType Descendents

Reference: http://theessentialexchange.com/blogs/michael/archive/2009/09/29/exchange-server-2010-administrative-access-to-all-mailboxes.aspx

Using EMS method 2

With method two we use a pipe to set the permission on each mailbox database with the following command:

Get-Mailboxdatabase | Add-ADPermission -User <UserorGroupIdentity> -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

Example:

Get-Mailboxdatabase | Add-ADPermission -User test3 -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

Granting Receive As and Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes.

Using ADSIEdit

There are also the ADSIEdit way of addressing the problem. I will give you a description on what you need to do but I STRONGLY recommend you to have a look at Michaels post instead. That said, here you go…

Open ADSIEdit, Right click ADSIEdit and choose Connect to.

Select the Configuration Naming Context and click Ok. 

Navigate to Configuration/Services/Microsoft Exchange/<OrganisationName>/Administrative Groups/Exchange Administrative Group (FYDIBOHF23SPDLT).

Right Click the Databases folder and choose Properties.

Click on the Security tab and click Add.

Enter the users or groups that you want to add and then click Ok.

Make sure that the added users or groups is selected, check the Allow box for Full control for each user or group, then click Ok to close the window and now we are finished with ADSIEdit.

This adds permissions to all databases. If you want to edit the permissions for a specific database you can open the Databases folder and open Properties for the database you want to configure.

A final note: Full Access or Receive As permissions are granted next time the Microsoft Exchange Information Store service caches the permissions and updates the cache. To grant the permissions immediately, stop and then restart the Microsoft Exchange Information Store service.

Thanks for reading, I hope that you found it useful and please let me know if you have any questions!

What’s this RBAC in Exchange Server 2010 anyway? – Part 3

I am sorry to realize that It has been ages since my last post. There has just been a lot of other things that needed my attention. But now I am back and I will start with this last post in my series of posts about Role Based Access Control. In this post I will focus on different examples. If you have another example you would presented here please let me know. And if you find an error of any sort or have any questions or thoughts about it please do not hesitate to drop a comment or contact me.

 

Scenario 1 – Adding users to role groups

We will start with a simple scenario where we want to add two users to different role groups, Help Desk and Organization Management. We will use both ECP and EMS and we will start with EMS.

Example 1 – Adding the user Test8 to the Help Desk role group using EMS

This is done using a simple one-liner:
Add-RoleGroupMember <role group name> -Member <member>

Example:
Add-RoleGroupMember “Help Desk” -Member Test8

To list all members of the Help Desk group use the following command:
Get-RoleGroupMember “Help Desk”

 

Example 2 – Adding the user Test8 to the Help Desk role group using ECP

Using the ECP involves several more steps then using the EMS one-liner. I will start with showing you where you can find the Organizational settings in ECP. In Outlook Web App choose Options and then See All Options.

In ECP, click on Manage Myself and choose My Organization.

To view the Role Groups click on Roles & Auditing.

In the work pane you will see a list of all Role Groups including Help Desk that we are looking for. Double-click Help Desk or select Help Desk and click Details to open the details window.

To add a new member to the Role Group, click Add in the Members section.

Select the users, USGs, or other role groups you want to add to the role group, and then click OK.

Click Save to save the changes to the role group.

It is strongly recommended to use the built-in Role Groups as far as possible and only add own Role Groups if it is absolutely necessary.

 

Scenario 2 – Create a new role group

Next we will create two new role groups, on with a custom scope and one with a OU scope.

Example 1 – New role group with custom scope

For this example we will use the ECP to create the new role group. I will not explain the initial steps for ECP, you can find more information on that under Scenario 1 – Example 2.

Before we can create the group we will have to create the custom scope. This can only be done using EMS. In the following example we will create a scope with a filter to include all users in the department Sales.

New-ManagementScope -Name "Mailboxes in department IT" -RecipientRestrictionFilter {Department -Eq "IT"}

More information about management role scope filters syntax can be found here: http://technet.microsoft.com/en-us/library/dd298043.aspx

When we have the management scope in place we can move on to create the role group. Navigate to the Administrator Roles tab, Role Groups, click New.

Enter a name and description for the new role group and for Write Scope choose our newly created management scope Mailboxes in department Sales.

To add a management role for the role group click Add under Roles. In the new window add the roles by selecting them ad click add, click Ok when finished.

To add members to this role group click Add under Members. In the new windows add the groups and mailboxes by selecting them and click add, click Ok when finished.

Review the settings and click Ok when finished.

In this example we created a new role group that affects all mailboxes in the department Sales. We added the user Test and the management roles Mailbox Recipients which enables the user to manage existing mailboxes, mail users, and mail contacts.

Example 2 – New role group with OU scope

For this example we will use the EMS to create the new role group based on an OU scope. Start by opening Exchange Management Shell, and then have a look at the following command:

New-RoleGroup -Name <role group name> -Roles <roles to assign> -RecipientOrganizationalUnitScope <OU name>

Let us create a new group and add the role Mail Recipients Role for the OU IT Support:

New-RoleGroup -Name "Mailboxes in OU IT Support" -Roles "Mail Recipients" -RecipientOrganizationalUnitScope "IT Support"

 

 

Scenario 3 – Remove a role group

There will probably be a time where you would want to remove a role group for some reason.

Example 1 – Remove a role group using EMS

I will show you how to do this using Exchange Management Shell. Use the following command:

Remove-RoleGroup –Identity <RoleGroupIdentity>

In the example we remove the role group we created in Scenario 2 – Example 2:

Remove-RoleGroup "Mailboxes in OU IT Support"

 

 

Scenario 4 – Working with assignment policies to enable users to manage their own mailboxes and properties

In this scenario we will create a new assignment policy and add a role to the policy to enable users to manage information related to their own mailboxes.

Example 1 – New assignment policy using ECP

First we will create a new assignment policy, in Outlook Web App choose Options and then See All Options.

In ECP, click on Manage Myself and choose My Organization.

To view the Assignment Policies click on Roles & Auditing and then User Roles. Click on New to start creating a new policy.

Start with entering a name for the assignment policy, Profile information for my example.

We are going to add roles to control Profile information for the user. Check MyProfileInformation, this will also check the roles MyDisplayName and MyName.

Also make sure that you check MyBaseOptions, this enables the users to use ECP.

More information on built in management roles can be found here:
http://technet.microsoft.com/en-us/library/dd638077.aspx

Click on Save to create the assignment policy.

Example 2 – Change the Assignment Policy on a Mailbox

The next step in this scenario is to change the assignment policy on a mailbox. Open EMC and navigate to Recipient Configuration and Mailbox. Right click on the mailbox you want to change and choose properties.

Click on the tab Mailbox Settings, select Role Assignment Policy and click properties.

Click on Browse, this opens a new dialog window.

Select the Assignment Policy you want to change to and then click Ok.

Check that the correct Assignment Policy is listed and then click Ok.

Click Ok to close the mailbox properties window. You now have the correct Assignment Policy applied on the mailbox and this should have immediate effect on the mailbox.

That is all for this time, I hope that you find the examples useful and if you have any ideas on other examples you would like me to include in this post just let me know. And as usual, if you find any errors or have any further questions do not hesitate to post a comment. Thanks for reading!

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Part 3 in this series can be found here!

View PowerShell commands ran by Exchange Management Console

Here is a quick tip on how you can do to view the commands that Exchange Management Console runs in the background when you do changes using EMC. EMC is basically just a GUI that runs PowerShell commands in the background to execute the changes we make in the GUI.

There are two ways of displaying these PowerShell commands.

The Show Exchange Management Shell Command button

This button is very useful and easy to find. It is located in the bottom-left corner of the dialog boxes used to reveal and set properties on Exchange objects.

When you click this button a window opens, showing the Windows PowerShell command that Exchange will execute when you click OK or Apply. Again, you can use this button to view the commands BEFORE you actually apply the changes.

 

Exchange Management Shell Command Log

Another tool new to the EMC in Exchange 2010 is the Exchange Management Shell Command  Log. It records all shell commands that you run in EMC. You can use this tool to log commands, view then and also export them to a CSV file.

To view the Exchange Management Command Log by right-clicking an object
such as Mailbox in the left pane of EMC and then clicking View and selecting View Exchange
Management Log.

I the lower pane you can see and copy the commands, this is an excellent way of getting help and tips when creating PowerShell commands and scripts.

Thanks for reading!

Access rights error when moving mailboxes from Exchange Server 2003 to Exchange Server 2010

When I did the mailbox migrations from Exchange Server 2003 to Exchange Server 2010 yesterday, I received the following error for a couple of mailboxes:

Error:
Active Directory operation failed on <DomainControllerName>. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The user has insufficient access rights.

Exchange Management Shell command attempted:
’<PathtoOrganizationalUnit>’ | New-MoveRequest -TargetDatabase ‘Mailbox Database 147171981′ -BadItemLimit ‘-1′

In my case, this was caused by inheritable permissions for the user object. To check this setting do the following:

1. On a domain controller, Open Active Directory Users and Computers.
2. Make sure that you have advanced features activated. Choose view and then Advanced Features.
   
3. Find the user that matches the mailbox you where trying to move.
4. Open properties for the user and navigate to the Security tab.
5. Click on Advanced and activate the checkbox Include inheritable permissions from this object’s parent”, then click Ok twice.
   

And that should do it, you can try to move the mailbox again and it should work. Thanks for reading and do not hesitate to let me know if you run in to any problems!