RBAC - How to restrict User to create users in specific DB?
I know haow to scope an Admin to a specific OU. But when the admin creates a new mailbox he can choose to create the mailbox on every DB in the Org. How can I restrict the admin so he can only create mailboxes in a specific DB?
April 13th, 2011 11:33am

This may give you some idea : http://www.exchangeinbox.com/article.aspx?i=159 Anil
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2011 1:27pm

For example New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"} New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" -SecurityGroup "Explorers" –CustomConfigWriteScope “Databases_ManagmentScope”Adam Bokiniec
April 14th, 2011 7:45am

As for additional information, you can refer to the following article: http://technet.microsoft.com/en-us/library/dd351083.aspx Thanks. Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2011 2:36am

Adam has provided correct cmdlet to achive this, Only you can use -members swicth in last.. I test this. New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"} New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" –CustomConfigWriteScope “Databases_ManagmentScope” -members "UserName" Anil
April 15th, 2011 3:26am

HI Eniac, I hope above cmdlet worked for you, DO you have any updates.Anil
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2011 12:18am

How is thing going on? If there is any problem, please feel free to post it here. Thanks. Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 25th, 2011 4:18am

Adam has provided correct cmdlet to achive this, Only you can use -members swicth in last.. I test this. New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"} New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" –CustomConfigWriteScope “Databases_ManagmentScope” -members "UserName" Anil Hi Anil, "-members" parameter is used with "Add-RoleGroupMember" http://technet.microsoft.com/en-us/library/dd638207.aspx "-SecurityGroup" and "User" parameters is used with "New-ManagementRoleAssignment" http://technet.microsoft.com/en-us/library/dd335193.aspx Adam Bokiniec
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2011 6:58am

Hi, when I use a new user without any other role and group memberships I get the error that the cmdlet New-Mailbox is not recognized (so it seems that the user need more rights). Where can I see which rights are necessary?
April 26th, 2011 10:35am

Eniac, Does AD account is already created for user, you should have AD account already then creaste mailbox.Anil
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2011 11:12pm

The user can create new user but I think the right to crete new mailboxes is missing. Should I add the user ro the Management Recepient role on the Exchange or can the user than crete mbx on all DBs?
April 28th, 2011 4:45pm

Hi Eniac, Use the same database scope but also add the "Mail Recipient Creation" Management Role, that will give you ability to use "New-Mailbox" New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipient Creation" –CustomConfigWriteScope “Databases_ManagmentScope” -SecurityGroup "Admin_Group_Name" You can also type "Get-ManagementRoleEntry "Mail Recipient Creation\*" | ft -Autosize -Wrap" to see all cmdlets included in the Mail Recipient Creation Management Role. Good luck!
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 4:51pm

Hi, this seems to be working but I have this issue. The user is domain admin in his own domain an he can't delete user in the forest (this is ok) but when the user uses the EMC he can completely remove user on other domains! Why he can do this?
May 5th, 2011 5:13am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics