Hi I must admit, I am having trouble getting my head around the 2010 RBAC model :( We are running Exchange 2007 and have built some 2010 servers (mailbox, Hub, CAS) to which we have moved some IT folk over to. Now, with Exchange 2007 we had - Org Admins Server Admins Recipient Admins Basically, Org admins were our Level 3 Exchange Engineering/Architecture team (only a few people), Server Admins were the L2 Exchange Support and Recipient Admins were the Helpdesk; it all worked well :) Now we have RBAC - Built In Role groups and Custom Role groups. As an example, our Exchange 2007 Server Admins group was an AD group named $IT-Exch-Support. Now for RBAC, do we assign $IT-Exch-Support to a Role Group (which has roles assigned to it)? Everything seems to be working ok at the moment, do we have to do this before we remove the last Exchange 2007 server? Confused!

There are certain built in role groups which are similar to Exchange 2007 Admin groups. Make sure that respective groups in your organization are member of these built-in role groups. Later you can configure RBAC more in detail based on requirements. Built-in Role Groups - http://technet.microsoft.com/en-us/library/dd351266.aspx Note: By default, members of Organization Management role group can't perform mailbox searches and management of unscoped top-level management roles.Amit Tank MVP: Exchange Server | MCTS: Microsoft Exchange Server 2010, Configuration | MCITP: EMA | MCSA: M Blog: http://ExchangeShare.WordPress.com | User Group: http://MUC-UG.org.in

Hey Amit Thanks for answering. For the moment, only the Org Admins have RBAC permissions, I'm trying to figure out how to give the rest of the team RBAC rights. Some more questions - i. At the moment, the $IT-Exch-Support group is not a member of any RBAC group, only the Exchange 2007 Server Managers group, since they haven't been given the task of managing 2010 yet. If I did want them to support 2010 servers, do they need to be added to any RBAC group, or is the fact that they are 2007 Server Managers mean they will have the same permissions as they did on 2007 as 2010? ii. If I added $IT-Exch-Support to the Built in Server Management 2010 RBAC group, will the least permissions apply for ALL servers, or will they have Server Manager permissions on 2007 and Server Management permissions on 2010? iii. Likewise, if I created a Custom Role Group fo $IT-Exch-Support in RBAC, how does it work given that these guys are already memebers of the Exchange 2007 Server Managers? If the Custom Role group I created for them in RBAC was much more restrictive, how does this work? iv. Does anything change when I remove the last 2007 server?

1. Yes, they need to be added into respective RBAC group. It might work for some of the settings which are common for Exchange 2007 & 2010 but not for all. I don't have exact environment right now to verify. 2. They should have server management permission on Exchange 2010 server for sure but as I said some settings are changed in 2010 like Database is now moved to Organization level... 3. If custom role group is created for $IT-Exch-Support it would take place if it has more restriction but Organization Management role has similar level of access as Exchange Organization Admin in Exchange 2007. 4. Nothing changes when you remove last 2007 servers if permission has been given correctly through RBAC built-in roles on Exchange 2010 environment. I would say don't go for more restrictive and granular level access through RBAC until Exchange 2007 is removed.Amit Tank MVP: Exchange Server | MCTS: Microsoft Exchange Server 2010, Configuration | MCITP: EMA | MCSA: M Blog: http://ExchangeShare.WordPress.com | User Group: http://MUC-UG.org.in