RBAC - How to restrict User to create users in specific DB?
I know haow to scope an Admin to a specific OU. But when the admin creates a new mailbox he can choose to create the mailbox on every DB in the Org. How can I restrict the admin so he can only create mailboxes in a specific DB?
April 13th, 2011 11:33am
This may give you some idea :
http://www.exchangeinbox.com/article.aspx?i=159
Anil
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2011 1:27pm
For example
New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" -SecurityGroup "Explorers" –CustomConfigWriteScope “Databases_ManagmentScope”Adam Bokiniec
April 14th, 2011 7:45am
As for additional information, you can refer to the following article:
http://technet.microsoft.com/en-us/library/dd351083.aspx
Thanks.
Novak Wu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2011 2:36am
Adam has provided correct cmdlet to achive this, Only you can use -members swicth in last.. I test this.
New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" –CustomConfigWriteScope “Databases_ManagmentScope” -members "UserName"
Anil
April 15th, 2011 3:26am
HI Eniac,
I hope above cmdlet worked for you, DO you have any updates.Anil
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2011 12:18am
How is thing going on? If there is any problem, please feel free to post it here.
Thanks.
Novak Wu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 25th, 2011 4:18am
Adam has provided correct cmdlet to achive this, Only you can use -members swicth in last.. I test this.
New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" –CustomConfigWriteScope “Databases_ManagmentScope” -members "UserName"
Anil
Hi Anil,
"-members" parameter is used with "Add-RoleGroupMember"
http://technet.microsoft.com/en-us/library/dd638207.aspx
"-SecurityGroup" and "User" parameters is used with "New-ManagementRoleAssignment"
http://technet.microsoft.com/en-us/library/dd335193.aspx
Adam Bokiniec
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2011 6:58am
Hi, when I use a new user without any other role and group memberships I get the error that the cmdlet New-Mailbox is not recognized (so it seems that the user need more rights). Where can I see which rights are necessary?
April 26th, 2011 10:35am
Eniac,
Does AD account is already created for user, you should have AD account already then creaste mailbox.Anil
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2011 11:12pm
The user can create new user but I think the right to crete new mailboxes is missing. Should I add the user ro the Management Recepient role on the Exchange or can the user than crete mbx on all DBs?
April 28th, 2011 4:45pm
Hi Eniac,
Use the same database scope but also add the "Mail Recipient Creation" Management Role, that will give you ability to use "New-Mailbox"
New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipient Creation" –CustomConfigWriteScope “Databases_ManagmentScope” -SecurityGroup "Admin_Group_Name"
You can also type "Get-ManagementRoleEntry "Mail Recipient Creation\*" | ft -Autosize -Wrap" to see all cmdlets included in the Mail Recipient Creation Management Role.
Good luck!
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 4:51pm
Hi, this seems to be working but I have this issue. The user is domain admin in his own domain an he can't delete user in the forest (this is ok) but when the user uses the EMC he can completely remove user on other domains! Why he can do this?
May 5th, 2011 5:13am