Minimum Permissions of Disabling Mailbox by Powershell Cmdlet (Disable-Mailbox) (Network Steve Forum)

Minimum Permissions of Disabling Mailbox by Powershell Cmdlet (Disable-Mailbox)

Hi all,

I have a question:

In Exchange Server 2013, there're some built-in roles:

Active Directory Permissions
Address Lists
Audit Logs
Cmdlet Extension Agents
Data Loss Prevention
Database Availability Groups
Database Copies
Databases
Disaster Recovery
Distribution Groups
Edge Subscriptions
E-Mail Address Policies
Exchange Connectors
Exchange Server Certificates
Exchange Servers
Exchange Virtual Directories
Federated Sharing
Information Rights Management
Journaling
Legal Hold
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Mail Tips
Message Tracking
Migration
Monitoring
Move Mailboxes
Org Custom Apps
Org Marketplace Apps
Organization Client Access
Organization Configuration
Organization Transport Settings
POP3 And IMAP4 Protocols
Public Folders
Receive Connectors
Recipient Policies
Remote and Accepted Domains
Retention Management
Role Management
Security Group Creation and Membership
Send Connectors
Team Mailboxes
Transport Agents
Transport Hygiene
Transport Queues
Transport Rules
UM Mailboxes
UM Prompts
Unified Messaging
User Options
View-Only Audit Logs
View-Only Configuration
View-Only Recipients
WorkloadManagement

I want to create a new group, which allows the members to create and disable mailbox by Powershell cmdlets, which roles should I assign to this group?

Thank you.

July 30th, 2015 7:36am

Hi,

you need mail recipient creation & mail recipient

but you also can create your own Management Role with more restrictions and assign it to group

to see what kind of commands allowed are, use

Get-ManagementRoleEntry -Identity "mail recipient creation\*"

Get-ManagementRoleEntry -Identity "mail recipient\*"

best regards

Free Windows Admin Tool Kit Click here and download it now

July 30th, 2015 7:56am

Create your own management scope to disable users in exchange. Then create a management role and add the scope to that role. Now add users whom you want to give access to this role.

https://technet.microsoft.com/en-us/library/dd351214(v=exchg.150).aspx

https://technet.microsoft.com/en-us/library/dd335137%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

July 30th, 2015 10:00am

Hi,

Please refer to my steps in this thread:

https://social.technet.microsoft.com/Forums/scriptcenter/en-US/75f1d50a-3606-4978-92af-b17b25921c97/organization-management-roles-question?forum=exchange2010

If you have any questions during creation, please let me know.

Best Regards.

Free Windows Admin Tool Kit Click here and download it now

July 30th, 2015 11:23pm

Hi SSorin,

Thank you very much. I exported all cmdlets and corresponding role.

But when I check the cmdlets, all roles I have added.

I only need 2 cmdlets: Enable-Mailbox and Disable-Mailbox, I have added Mailbox Recipient Creation and Mailbox Recipients to the group, but it still didn't work.

July 31st, 2015 2:22am

Hi Lynn,

Thank you for your help. It was struck on step "Use this command to remove all cmdlets except Set-User.", and then I use this:

Get-ManagementRoleEntry "Mailbox Role\*" | % {
	if ($_.Name -ne "Set-User")
	{
		Write-Host $_.Name
		Remove-ManagementRoleEntry $_ -Force -Confirm:$false
	}
}

Now a new group and role were created, I will test it.

Free Windows Admin Tool Kit Click here and download it now

July 31st, 2015 3:31am

This topic is archived. No further replies will be accepted.