what is the best way to create RBAC for activesync for helpdesk so they cna manage user's device for remote wipe etc for all users

You can follow Anil’s suggestion to create RBAC for helpdesk. When you perform a remote wipe on a Mobile Phone, here are some related document for you: Perform a Remote Wipe on a Mobile Phone http://technet.microsoft.com/en-us/library/aa998614.aspx Client Access Permissions http://technet.microsoft.com/en-us/library/dd638131.aspx Thanks, Evan Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Any update ??Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com

Ok so i did following 1) created a role "Activesync Wipe" based on "Mail Recipients 2)removed all the unnecessary role entires except "clear-activesyncdevice" from ActiveSync wipe 3)created a "Scope" allowing only targeted ou where i want to have helpdesk access to new-ManagementScope -Name "Scope" -RecipientRoot "Domain/OU" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} 4)then linked the rolegroup to the role New-RoleGroup -Name "ActiveSyncRolegroup" -Roles "ActiveSync Wipe" -CustomRecipientWriteScope "Scope" 5) added a testuser to activesyncrolegroup when i login to owa/ecp website with testuser's credential and clicked on phone. i do not see any other users, i only see testuser's phone on activesync. do i need to anything else to see all the users thx

do i need to give access to ecp directory?

Hi eth123, Maybe you need add “User Options” role to ActiveSyncRolegroup. Per my test, after I add this role to the ActiveSyncRole group, I can follow this way to remote wipe for other users: Under ECP->Choose “Another User” under Mail>Options:->Then choose which mailbox you want to check ->Phone-> Then you can remote wipe for the user User Options Role http://technet.microsoft.com/en-us/library/dd876960.aspx Thanks, Evan

that gives them (helpdesk) more access than they need to. i only need them to have activesync wipe out