Multiple Update Rollups released

Microsoft has release a number of rollups for Exchange Server 2007 and 2010. If you want to go directly to the downloads use the following links:

Advertisements

What’s this RBAC in Exchange Server 2010 anyway? – Part 3

I am sorry to realize that It has been ages since my last post. There has just been a lot of other things that needed my attention. But now I am back and I will start with this last post in my series of posts about Role Based Access Control. In this post I will focus on different examples. If you have another example you would presented here please let me know. And if you find an error of any sort or have any questions or thoughts about it please do not hesitate to drop a comment or contact me.

Scenario 1 – Adding users to role groups

We will start with a simple scenario where we want to add two users to different role groups, Help Desk and Organization Management. We will use both ECP and EMS and we will start with EMS.

Example 1 – Adding the user Test8 to the Help Desk role group using EMS

This is done using a simple one-liner:
Add-RoleGroupMember <role group name> -Member <member>

Example:
Add-RoleGroupMember “Help Desk” -Member Test8

rbac1

To list all members of the Help Desk group use the following command:
Get-RoleGroupMember “Help Desk”

rbac2

Example 2 – Adding the user Test8 to the Help Desk role group using ECP

Using the ECP involves several more steps then using the EMS one-liner. I will start with showing you where you can find the Organizational settings in ECP. In Outlook Web App choose Options and then See All Options.

rbac3

In ECP, click on Manage Myself and choose My Organization.

rbac4

To view the Role Groups click on Roles & Auditing.

rbac5

In the work pane you will see a list of all Role Groups including Help Desk that we are looking for. Double-click Help Desk or select Help Desk and click Details to open the details window.

rbac6

To add a new member to the Role Group, click Add in the Members section.

rbac7

Select the users, USGs, or other role groups you want to add to the role group, and then click OK.

rbac8

Click Save to save the changes to the role group.

rbac9

It is strongly recommended to use the built-in Role Groups as far as possible and only add own Role Groups if it is absolutely necessary.

Scenario 2 – Create a new role group

Next we will create two new role groups, on with a custom scope and one with a OU scope.

Example 1 – New role group with custom scope

For this example we will use the ECP to create the new role group. I will not explain the initial steps for ECP, you can find more information on that under Scenario 1 – Example 2.

Before we can create the group we will have to create the custom scope. This can only be done using EMS. In the following example we will create a scope with a filter to include all users in the department Sales.

New-ManagementScope -Name “Mailboxes in department IT” -RecipientRestrictionFilter {Department -Eq “IT”}

rbac11

More information about management role scope filters syntax can be found here: http://technet.microsoft.com/en-us/library/dd298043.aspx

When we have the management scope in place we can move on to create the role group. Navigate to the Administrator Roles tab, Role Groups, click New.

rbac10

Enter a name and description for the new role group and for Write Scope choose our newly created management scope Mailboxes in department Sales.

rbac12

To add a management role for the role group click Add under Roles. In the new window add the roles by selecting them ad click add, click Ok when finished.

rbac13

To add members to this role group click Add under Members. In the new windows add the groups and mailboxes by selecting them and click add, click Ok when finished.

rbac14

Review the settings and click Ok when finished.

rbac15

In this example we created a new role group that affects all mailboxes in the department Sales. We added the user Test and the management roles Mailbox Recipients which enables the user to manage existing mailboxes, mail users, and mail contacts.

Example 2 – New role group with OU scope

For this example we will use the EMS to create the new role group based on an OU scope. Start by opening Exchange Management Shell, and then have a look at the following command:

New-RoleGroup -Name <role group name> -Roles <roles to assign> -RecipientOrganizationalUnitScope <OU name>

Let us create a new group and add the role Mail Recipients Role for the OU IT Support:

New-RoleGroup -Name “Mailboxes in OU IT Support” -Roles “Mail Recipients” -RecipientOrganizationalUnitScope “IT Support”

rbac16

Scenario 3 – Remove a role group

There will probably be a time where you would want to remove a role group for some reason.

Example 1 – Remove a role group using EMS

I will show you how to do this using Exchange Management Shell. Use the following command:

Remove-RoleGroup –Identity <RoleGroupIdentity>

In the example we remove the role group we created in Scenario 2 – Example 2:

Remove-RoleGroup “Mailboxes in OU IT Support”

rbac17

Scenario 4 – Working with assignment policies to enable users to manage their own mailboxes and properties

In this scenario we will create a new assignment policy and add a role to the policy to enable users to manage information related to their own mailboxes.

Example 1 – New assignment policy using ECP

First we will create a new assignment policy, in Outlook Web App choose Options and then See All Options.

rbac3

In ECP, click on Manage Myself and choose My Organization.

rbac4

To view the Assignment Policies click on Roles & Auditing and then User Roles. Click on New to start creating a new policy.

rbac18

Start with entering a name for the assignment policy, Profile information for my example.

rbac19

We are going to add roles to control Profile information for the user. Check MyProfileInformation, this will also check the roles MyDisplayName and MyName.

rbac20

Also make sure that you check MyBaseOptions, this enables the users to use ECP.

rbac22

More information on built in management roles can be found here:
http://technet.microsoft.com/en-us/library/dd638077.aspx

Click on Save to create the assignment policy.

rbac21

Example 2 – Change the Assignment Policy on a Mailbox

The next step in this scenario is to change the assignment policy on a mailbox. Open EMC and navigate to Recipient Configuration and Mailbox. Right click on the mailbox you want to change and choose properties.

Click on the tab Mailbox Settings, select Role Assignment Policy and click properties.

rbac23

Click on Browse, this opens a new dialog window.

rbac24

Select the Assignment Policy you want to change to and then click Ok.

rbac25

Check that the correct Assignment Policy is listed and then click Ok.

rbac26

Click Ok to close the mailbox properties window. You now have the correct Assignment Policy applied on the mailbox and this should have immediate effect on the mailbox.

That is all for this time, I hope that you find the examples useful and if you have any ideas on other examples you would like me to include in this post just let me know. And as usual, if you find any errors or have any further questions do not hesitate to post a comment. Thanks for reading!

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Part 3 in this series can be found here!