Role Base Access Control
I have locked down the ECP for our NOC to only be able to create Mail Recipients (Mailboxes, Contacts, Resources, and Shared).  I cannot figure out how to get rid of the Tools section which allows for the BPA to be run.  Has anyone figured out how to remove that?  I cannot find the Cmdlets associated with it.
March 19th, 2015 10:50am

Hi Razor,

As BPA doesn't solely depend on Exchange to test it and uses other components as well, hence blocking it fully with RBAC might not be possible.

Its more like a tool seperately running on the system. I don't see any proper documentation on exact account permissions required to run it.

RBAC only restrict you from running exchange related commands via exchange consoles, provided you don't have any external ACL permissions on Exchange.

Below are some requirements, which makes me believe this.

Office 365 Best Practices Analyzer for Exchange Server 2013 Requirements

The computer you run the checks on needs to meet these requirements. We automatically verify you are ready to run the checks when you download the tool.
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2015 2:17am

Hi,

From your description, I would like to clarify the following thing:

If you don't want the account to run ExBPA successfully, you can remove him from a member of Domain Admins group and view-only organization management role group.

Hope this can be helpful to you.

Best regards,

March 20th, 2015 3:21am

Hi,

Any update?

Best regards,

Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2015 10:50pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics