Get-Group: Confusion and a query
On Get-Group cmdlet query technet article states, To run the Get-Group cmdlet,the account you use must be delegated the following : Exchange View-Only Administrator role
http://technet.microsoft.com/en-us/library/aa996594(EXCH.80).aspx
I can run this cmdlet logged in as a normal domain user without any administrator role (or any permissions applied),it returned groups. Am I missing a point
We have a requirement where we need to deny specefic users to get any results running Get-Group. Please suggest how this can be done.
August 12th, 2010 8:50pm
Hi Shireesh1,
Sure, the user must has the role viewonlyadmin, and could use the cmdlet "get-group".
You could confirm it using below script:
get-exchangeadministrator |? {$_.role -like "viewonlyadmin"}
Regards!
Gavin
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2010 8:25am
Thanks Gavin,
But I remember I could even execute the cmdlet with a user ID that was not a viewonlydmin.The issue cropped up again today when one of the user wanted to get Actuvesync device statistics for users who are not part of viewonlyadmins.
The Get-Mailbox cmdlet retrieves the attributes and objects for a mailbox. No parameters are required. If the cmdlet is used without a parameter, all mailboxes in the organization are listed.
To run the Get-Mailbox cmdlet, the account you use must be delegated the following:
Exchange View-Only Administrator role
http://technet.microsoft.com/en-us/library/bb123685%28EXCHG.80%29.aspx
The user running this cmdlet is not 'viewonlyadmin' I confirmed this using
get-exchangeadministrator |? {$_.role -like "viewonlyadmin"}
Ideally if the user does not have a the viewonlyadmin role,he should not be able to execute this cmdlet or get the information returned.
Regards,
November 26th, 2010 5:04am