rbac in exchange 2010 example 1

11 May


by default, there are 64 roles

get-managementrole | ? {$ –like “mail*” }

create a new role “employee mailbox creation”

new-managementrole –name “employee mailbox creation” –parent “mail recipient creation”

see what command the new group can use

get-managementroleentry “employee mailbox creation\*”

get what those command that should not be used

get-managementroleentry “employee mailbox creation\*”  | ? {$ –like “remove*”}

create a new scope

New-ManagementScope -Name fte -RecipientRoot -RecipientRestrictionFilter {RecipientType -eq "UserMailbox" -or RecipientType -eq "MailUser" -or RecipientType -eq "MailContact"}


create a new role group

new-rolegroup –name “employee mailbox provocaton” –roles “employee mailbox creation” –customrecipientwritescope fte

add administor to this role group

add-rolegroupmember –identy “employee mailbox provocation” –members test01

see almost full information:

the 3W process:

1-create a management role

2-custom the management role entry (what can do)

3-create a scope (where can do)

4-create the role group connect with management role and scope (who can do )

5-add administrator in the role group


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: