Hi all,

I have a question:

In Exchange Server 2013, there're some built-in roles:

Active Directory Permissions
Address Lists
Audit Logs
Cmdlet Extension Agents
Data Loss Prevention
Database Availability Groups
Database Copies
Databases
Disaster Recovery
Distribution Groups
Edge Subscriptions
E-Mail Address Policies
Exchange Connectors
Exchange Server Certificates
Exchange Servers
Exchange Virtual Directories
Federated Sharing
Information Rights Management
Journaling
Legal Hold
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Mail Tips
Message Tracking
Migration
Monitoring
Move Mailboxes
Org Custom Apps
Org Marketplace Apps
Organization Client Access
Organization Configuration
Organization Transport Settings
POP3 And IMAP4 Protocols
Public Folders
Receive Connectors
Recipient Policies
Remote and Accepted Domains
Retention Management
Role Management
Security Group Creation and Membership
Send Connectors
Team Mailboxes
Transport Agents
Transport Hygiene
Transport Queues
Transport Rules
UM Mailboxes
UM Prompts
Unified Messaging
User Options
View-Only Audit Logs
View-Only Configuration
View-Only Recipients
WorkloadManagement

I want to create a new group, which allows the members to create and disable mailbox by Powershell cmdlets, which roles should I assign to this group?

Thank you.

Hi,

you need mail recipient creation & mail recipient

but you also can create your own Management Role with more restrictions and assign it to group

to see what kind of commands allowed are, use

Get-ManagementRoleEntry  -Identity "mail recipient creation\*"

Get-ManagementRoleEntry  -Identity "mail recipient\*"

best regards

Create your own management scope to disable users in exchange. Then create a management role and add the scope to that role. Now add users whom you want to give access to this role.

https://technet.microsoft.com/en-us/library/dd351214(v=exchg.150).aspx

https://technet.microsoft.com/en-us/library/dd335137%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

Hi,

Please refer to my steps in this thread:

https://social.technet.microsoft.com/Forums/scriptcenter/en-US/75f1d50a-3606-4978-92af-b17b25921c97/organization-management-roles-question?forum=exchange2010

If you have any questions during creation, please let me know.

Best Regards.

Hi SSorin,

Thank you very much. I exported all cmdlets and corresponding role.

But when I check the cmdlets, all roles I have added.

I only need 2 cmdlets: Enable-Mailbox and Disable-Mailbox, I have added Mailbox Recipient Creation and Mailbox Recipients to the group, but it still didn't work.

Hi Lynn,

Thank you for your help. It was struck on step "Use this command to remove all cmdlets except Set-User.", and then I use this:

Get-ManagementRoleEntry "Mailbox Role\*" | % {
	if ($_.Name -ne "Set-User")
	{
		Write-Host $_.Name
		Remove-ManagementRoleEntry $_ -Force -Confirm:$false
	}
}

Now a new group and role were created, I will test it.

Hi,

Why not using this command?

Get-ManagementRoleEntry Mailbox role\* | ? {$_.name ne Enable-Mailbox} | Remove-ManagementRoleEntry

And add the Disable-Mailbox cmdlet

Add-ManagementRoleEntry "Mailbox Role\Remove-Mailbox"

Best Re

It didn't work for me. :(

I waited for more than half an hour, but the cmdlets count is still 110. And then I changed the script, it worked.

It seems some special settings on my Exchange server. The current Exchange version is 2013, and it was upgraded from Exchange server 2007. I add the accounts to group "Recipients Management" (built-in group, assigned roles Distribution Groups,Mail Recipient Creation,Mail Recipients,Message Tracking,Migration,Move Mailboxes,Recipient Policies,Team Mailboxes), but they couldn't create mailbox with cmdlet Enable-Mailbox.

I added the accounts to Organization Management group for the time being, and will investigate further reasons. I think I still need your help. :) Thank you again.