Home > Uncategorized > Exchange 2010 – Create a custom role to enable user’s to manage distribution groups but not create them

Exchange 2010 – Create a custom role to enable user’s to manage distribution groups but not create them

I love RBAC in Exchange2010, gone are the days of having to hack around AD to try and control what users could do or see. I remember talking to a security guy at one of the big 5 company’s about how they chop up AD to control what users/hosted companies could see and I was gob smacked how applications could run in this type of environment all together, it amazed me as we are not just talking about one product that needs to work with AD but many.

But it is new and with new things there is always a learning curve, I am not about to try teach you all about RBAC there are far better people then me who can do that, not only TechNet :). But I have seen a re-occurring question asking how to not only restrict end users from creating distribution groups (save that for another post) but also allow them to manage distribution groups , to do this follow the steps outlined below:

 

Create the new customized role:
new-managementrole -name:customizedRole -Parent MyDistributionGroups*

Remove the new-distributiongroup:
Remove-ManagementRoleEntry customizedRole\new-distributiongroup -Confirm:$false

Assign the new customized role to the policy to apply to all users in the tenant:
$policy=get-roleassignmentpolicy
New-ManagementRoleAssignment -name:customizedRoleRA -Role:customizedRole –Policy $policy.identity

Remove the old role assignment on the policy:
$oldRA=Get-ManagementRoleAssignment -RoleAssignee $policy.identity -Role MyDistributionGroups*
Remove-ManagementRoleAssignment $oldra -confirm:$false

Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: