role based role for activesync exchagne 2010 for helpdesk
what is the best way to create RBAC for activesync for helpdesk so they cna manage user's device for remote wipe etc for all users
June 15th, 2011 8:37pm
Hi,
If you want your helpdesk(user or group) to only wipe the ActiveSync Devices, you should assign the custom Management Role to the user or the Role Group.
Thus you should create the Role "ActiveSync Wipe" based on the parent Role "Mail Recipients", remove other RoleEntry except the "Clear-ActiveSyncDevice", after that, you can create a Role Group "Helpdesk account
group" assigned the Role or assign the Role to the Helpdesk user directly.
More information:
Clear-ActiveSyncDevice
http://technet.microsoft.com/en-us/library/aa995904.aspx
Create a Role
http://technet.microsoft.com/en-us/library/dd351214.aspx
Remove a Role Entry from a Role
http://technet.microsoft.com/en-us/library/dd297947.aspx
Add a Role to a User or USG
http://technet.microsoft.com/en-us/library/dd351056.aspx
For the way how to create RBC role and assign to user, go thru below good articles.
http://www.exchangedictionary.com/index.php/Articles/role-based-access-control-exchange-2010.html
http://www.exchangedictionary.com/index.php/Articles/create-new-management-role-rbac.html
Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2011 9:44am
You can follow Anil’s suggestion to create RBAC for helpdesk.
When you perform a remote wipe on a Mobile Phone, here are some related document for you:
Perform a Remote Wipe on a Mobile Phone
http://technet.microsoft.com/en-us/library/aa998614.aspx
Client Access Permissions
http://technet.microsoft.com/en-us/library/dd638131.aspx
Thanks,
Evan
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 17th, 2011 3:58am
Any update ??Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2011 12:01am
Ok so i did following
1) created a role "Activesync Wipe" based on "Mail Recipients
2)removed all the unnecessary role entires except "clear-activesyncdevice" from ActiveSync wipe
3)created a "Scope" allowing only targeted ou where i want to have helpdesk access to
new-ManagementScope -Name "Scope" -RecipientRoot "Domain/OU" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}
4)then linked the rolegroup to the role
New-RoleGroup -Name "ActiveSyncRolegroup" -Roles "ActiveSync Wipe" -CustomRecipientWriteScope "Scope"
5) added a testuser to activesyncrolegroup
when i login to owa/ecp website with testuser's credential and clicked on phone. i do not see any other users, i only see testuser's phone on activesync. do i need to anything else to see all the users
thx
June 19th, 2011 7:11pm
do i need to give access to ecp directory?
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2011 2:07pm
Hi eth123,
Maybe you need add “User Options” role to ActiveSyncRolegroup. Per my test, after I add this role to the ActiveSyncRole group, I can follow this way to
remote wipe for other users:
Under ECP->Choose “Another User” under
Mail>Options:->Then choose which mailbox you want to check ->Phone-> Then you can remote wipe for the user
User Options Role
http://technet.microsoft.com/en-us/library/dd876960.aspx
Thanks,
Evan
July 10th, 2011 2:57am
that gives them (helpdesk) more access than they need to. i only need them to have activesync wipe out
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2011 4:58pm
Thought I would pass along what I got working.
Create management role, role group and add role member:
New-ManagementRole "ActiveSync User Options" Parent 'User Options'
New-RoleGroup 'ActiveSync Device Wipers' Roles 'ActiveSync User Options'
Add-RoleGroupMember "ActiveSync Device Wipers" -Member
emailaddress@company.com
Get-ManagementRoleEntry Identity 'ActiveSync User Options\*' | Where {$_.Name notlike "*activesync*"} | Remove-ManagementRoleEntry Confirm:$False
Add-ManagementRoleEntry "ActiveSync User Options\Get-Recipient"
Add-ManagementRoleEntry "ActiveSync User Options\Get-User"
Add-ManagementRoleEntry "ActiveSync Wipe\Get-CASMailbox"
Add-ManagementRoleEntry "ActiveSync Wipe\Set-CASMailbox"
Here is the short list of remaining permissions:
Get-ActiveSyncDeviceStatistics
Get-ActiveSyncDevice
Clear-ActiveSyncDevice
Remove-ActiveSyncDevice
Get-User
Get-Recipient
Get-CASMailbox
Set-CASMailbox
In our case emailaddress@company.com is the email attached to the help desk group that has been given access. That group membership now has rights to wipe Activesync devices and nothing else.
You may be able to trim off a few more of these attributes left in the list. I got lazy after burning hours testing. Get-User, Get-Recipient, all the Get-Activesync properties and the Clear-Activesync are required I know.
Good luck.
June 27th, 2012 5:13pm