Multiple Update Rollups released

Microsoft has release a number of rollups for Exchange Server 2007 and 2010. If you want to go directly to the downloads use the following links:

What’s this RBAC in Exchange Server 2010 anyway? – Part 3

I am sorry to realize that It has been ages since my last post. There has just been a lot of other things that needed my attention. But now I am back and I will start with this last post in my series of posts about Role Based Access Control. In this post I will focus on different examples. If you have another example you would presented here please let me know. And if you find an error of any sort or have any questions or thoughts about it please do not hesitate to drop a comment or contact me.

Scenario 1 – Adding users to role groups

We will start with a simple scenario where we want to add two users to different role groups, Help Desk and Organization Management. We will use both ECP and EMS and we will start with EMS.

Example 1 – Adding the user Test8 to the Help Desk role group using EMS

This is done using a simple one-liner:
Add-RoleGroupMember <role group name> -Member <member>

Add-RoleGroupMember “Help Desk” -Member Test8


To list all members of the Help Desk group use the following command:
Get-RoleGroupMember “Help Desk”


Example 2 – Adding the user Test8 to the Help Desk role group using ECP

Using the ECP involves several more steps then using the EMS one-liner. I will start with showing you where you can find the Organizational settings in ECP. In Outlook Web App choose Options and then See All Options.


In ECP, click on Manage Myself and choose My Organization.


To view the Role Groups click on Roles & Auditing.


In the work pane you will see a list of all Role Groups including Help Desk that we are looking for. Double-click Help Desk or select Help Desk and click Details to open the details window.


To add a new member to the Role Group, click Add in the Members section.


Select the users, USGs, or other role groups you want to add to the role group, and then click OK.


Click Save to save the changes to the role group.


It is strongly recommended to use the built-in Role Groups as far as possible and only add own Role Groups if it is absolutely necessary.

Scenario 2 – Create a new role group

Next we will create two new role groups, on with a custom scope and one with a OU scope.

Example 1 – New role group with custom scope

For this example we will use the ECP to create the new role group. I will not explain the initial steps for ECP, you can find more information on that under Scenario 1 – Example 2.

Before we can create the group we will have to create the custom scope. This can only be done using EMS. In the following example we will create a scope with a filter to include all users in the department Sales.

New-ManagementScope -Name “Mailboxes in department IT” -RecipientRestrictionFilter {Department -Eq “IT”}


More information about management role scope filters syntax can be found here:

When we have the management scope in place we can move on to create the role group. Navigate to the Administrator Roles tab, Role Groups, click New.


Enter a name and description for the new role group and for Write Scope choose our newly created management scope Mailboxes in department Sales.


To add a management role for the role group click Add under Roles. In the new window add the roles by selecting them ad click add, click Ok when finished.


To add members to this role group click Add under Members. In the new windows add the groups and mailboxes by selecting them and click add, click Ok when finished.


Review the settings and click Ok when finished.


In this example we created a new role group that affects all mailboxes in the department Sales. We added the user Test and the management roles Mailbox Recipients which enables the user to manage existing mailboxes, mail users, and mail contacts.

Example 2 – New role group with OU scope

For this example we will use the EMS to create the new role group based on an OU scope. Start by opening Exchange Management Shell, and then have a look at the following command:

New-RoleGroup -Name <role group name> -Roles <roles to assign> -RecipientOrganizationalUnitScope <OU name>

Let us create a new group and add the role Mail Recipients Role for the OU IT Support:

New-RoleGroup -Name “Mailboxes in OU IT Support” -Roles “Mail Recipients” -RecipientOrganizationalUnitScope “IT Support”


Scenario 3 – Remove a role group

There will probably be a time where you would want to remove a role group for some reason.

Example 1 – Remove a role group using EMS

I will show you how to do this using Exchange Management Shell. Use the following command:

Remove-RoleGroup –Identity <RoleGroupIdentity>

In the example we remove the role group we created in Scenario 2 – Example 2:

Remove-RoleGroup “Mailboxes in OU IT Support”


Scenario 4 – Working with assignment policies to enable users to manage their own mailboxes and properties

In this scenario we will create a new assignment policy and add a role to the policy to enable users to manage information related to their own mailboxes.

Example 1 – New assignment policy using ECP

First we will create a new assignment policy, in Outlook Web App choose Options and then See All Options.


In ECP, click on Manage Myself and choose My Organization.


To view the Assignment Policies click on Roles & Auditing and then User Roles. Click on New to start creating a new policy.


Start with entering a name for the assignment policy, Profile information for my example.


We are going to add roles to control Profile information for the user. Check MyProfileInformation, this will also check the roles MyDisplayName and MyName.


Also make sure that you check MyBaseOptions, this enables the users to use ECP.


More information on built in management roles can be found here:

Click on Save to create the assignment policy.


Example 2 – Change the Assignment Policy on a Mailbox

The next step in this scenario is to change the assignment policy on a mailbox. Open EMC and navigate to Recipient Configuration and Mailbox. Right click on the mailbox you want to change and choose properties.

Click on the tab Mailbox Settings, select Role Assignment Policy and click properties.


Click on Browse, this opens a new dialog window.


Select the Assignment Policy you want to change to and then click Ok.


Check that the correct Assignment Policy is listed and then click Ok.


Click Ok to close the mailbox properties window. You now have the correct Assignment Policy applied on the mailbox and this should have immediate effect on the mailbox.

That is all for this time, I hope that you find the examples useful and if you have any ideas on other examples you would like me to include in this post just let me know. And as usual, if you find any errors or have any further questions do not hesitate to post a comment. Thanks for reading!

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Part 3 in this series can be found here!