what is the best way to create RBAC for activesync for helpdesk so they cna manage user's device for remote wipe etc for all users

Hi, If you want your helpdesk(user or group) to only wipe the ActiveSync Devices, you should assign the custom Management Role to the user or the Role Group. Thus you should create the Role "ActiveSync Wipe" based on the parent Role "Mail Recipients", remove other RoleEntry except the "Clear-ActiveSyncDevice", after that, you can create a Role Group "Helpdesk account group" assigned the Role or assign the Role to the Helpdesk user directly. More information: Clear-ActiveSyncDevice http://technet.microsoft.com/en-us/library/aa995904.aspx Create a Role http://technet.microsoft.com/en-us/library/dd351214.aspx Remove a Role Entry from a Role http://technet.microsoft.com/en-us/library/dd297947.aspx Add a Role to a User or USG http://technet.microsoft.com/en-us/library/dd351056.aspx For the way how to create RBC role and assign to user, go thru below good articles. http://www.exchangedictionary.com/index.php/Articles/role-based-access-control-exchange-2010.html http://www.exchangedictionary.com/index.php/Articles/create-new-management-role-rbac.html Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com

You can follow Anil’s suggestion to create RBAC for helpdesk. When you perform a remote wipe on a Mobile Phone, here are some related document for you: Perform a Remote Wipe on a Mobile Phone http://technet.microsoft.com/en-us/library/aa998614.aspx Client Access Permissions http://technet.microsoft.com/en-us/library/dd638131.aspx Thanks, Evan Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Any update ??Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com

Ok so i did following 1) created a role "Activesync Wipe" based on "Mail Recipients 2)removed all the unnecessary role entires except "clear-activesyncdevice" from ActiveSync wipe 3)created a "Scope" allowing only targeted ou where i want to have helpdesk access to new-ManagementScope -Name "Scope" -RecipientRoot "Domain/OU" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} 4)then linked the rolegroup to the role New-RoleGroup -Name "ActiveSyncRolegroup" -Roles "ActiveSync Wipe" -CustomRecipientWriteScope "Scope" 5) added a testuser to activesyncrolegroup when i login to owa/ecp website with testuser's credential and clicked on phone. i do not see any other users, i only see testuser's phone on activesync. do i need to anything else to see all the users thx

do i need to give access to ecp directory?

Hi eth123, Maybe you need add “User Options” role to ActiveSyncRolegroup. Per my test, after I add this role to the ActiveSyncRole group, I can follow this way to remote wipe for other users: Under ECP->Choose “Another User” under Mail>Options:->Then choose which mailbox you want to check ->Phone-> Then you can remote wipe for the user User Options Role http://technet.microsoft.com/en-us/library/dd876960.aspx Thanks, Evan

that gives them (helpdesk) more access than they need to. i only need them to have activesync wipe out

Thought I would pass along what I got working. Create management role, role group and add role member: New-ManagementRole "ActiveSync User Options" Parent 'User Options' New-RoleGroup 'ActiveSync Device Wipers' Roles 'ActiveSync User Options' Add-RoleGroupMember "ActiveSync Device Wipers" -Member emailaddress@company.com Get-ManagementRoleEntry Identity 'ActiveSync User Options\*' | Where {$_.Name notlike "*activesync*"} | Remove-ManagementRoleEntry Confirm:$False Add-ManagementRoleEntry "ActiveSync User Options\Get-Recipient" Add-ManagementRoleEntry "ActiveSync User Options\Get-User" Add-ManagementRoleEntry "ActiveSync Wipe\Get-CASMailbox" Add-ManagementRoleEntry "ActiveSync Wipe\Set-CASMailbox" Here is the short list of remaining permissions: Get-ActiveSyncDeviceStatistics Get-ActiveSyncDevice Clear-ActiveSyncDevice Remove-ActiveSyncDevice Get-User Get-Recipient Get-CASMailbox Set-CASMailbox In our case emailaddress@company.com is the email attached to the help desk group that has been given access. That group membership now has rights to wipe Activesync devices and nothing else. You may be able to trim off a few more of these attributes left in the list. I got lazy after burning hours testing. Get-User, Get-Recipient, all the Get-Activesync properties and the Clear-Activesync are required I know. Good luck.