Hands-on Exchange rights management

Rigorous Rights

End User Roles

In addition to the administrative roles for managing your Exchange server, you can also control user rights for their own mailboxes and distribution groups in Exchange. Role assignment policies let you control which users can modify configuration settings for mailboxes and distribution groups.

To view all the mailboxes that have a specific assignment policy assignment, use the Get-Mailbox cmdlet and pass the results to the Where cmdlet:

Get-Mailbox | Where  {$_.RoleAssignmentPolicy -Eq "assignment policy"}

To view the assignment policy for a user account in the account's properties and change the assignment, in the Exchange Management Console, access the Mailbox Features menu. To change the default assignment policy that Exchange automatically assigns to new mailboxes, use:

Set-RoleAssignmentPolicy "<assignmentpolicy>" -IsDefault

Exchange always assigns the default policy to new mailboxes, even if it does not contain any management roles. A mailbox can only use one role assignment policy. If you want to assign different rights to certain users, you must create and assign separate role assignment policies for these mailboxes.

After creating a new role assignment policy in Permissions | User Roles , you assign it to the desired management roles. You can then assign the role assignment policy to the desired mailboxes. To change the policy for all mailboxes assigned to a particular assignment policy, use the cmdlet:

Get-Mailbox | Where { $_.RoleAssignmentPolicy -Eq "<old assignment policy>" } | \
   Set-Mailbox -RoleAssignmentPolicy <new policy>

At the end of the command, you can use the WhatIf option to see what the command would do, but without actually executing the changes.

The MyDistributionGroups management role group in Exchange Server 2010/2013 can add or remove members of certain distribution groups and remove and create distribution groups.

These are the kinds of operations that administrators might want to prevent. Often, it is sufficient for certain users to manage memberships. To view the rights for the MyDistributionGroups user role group, you can also use the Exchange Management Shell cmdlet

Get-ManagementRoleEntry -Identity MyDistributionGroups\*

although it is easier to use the RBAC Manager.

Management Role Groups

Rather than adjust the settings of existing management role groups, it is preferable to create a new management role group and assign the appropriate memberships and rights. In the Exchange Management Shell, you use the New-ManagementRole cmdlet to manage distribution groups:

New-ManagementRole -Parent "MyDistributionGroups" \
                   -Name Contoso-MyDistributionGroups

Now you can create a new group and assign the rights of the parent group to it. In RBAC Manager, right-click the appropriate group and select New Role from Here . Then enter a name. You can now adjust rights for the group by unchecking the rights from the parent role group to remove them from the child group. You can also manage rights with the Exchange Management Shell. For example, to keep users from creating and deleting distribution groups in the future, use:

Get-ManagementRoleEntry \
   -Identity "Contoso-MyDistributionGroups\New-DistributionGroup" | \

and use:

Get-ManagementRoleEntry -Identity \
   "Contoso-MyDistributionGroups\Remove-DistributionGroup" | \

After configuring the rights, you can assign them to the users in the Exchange Control Panel via the Role Assignment Policy. On Exchange Server 2013, you use the Exchange Management Console Permissions | User Roles section for this.

In the properties of the Default Role Assignment Policy , assign the newly created management role group and confirm the change. If you copied a role group, uncheck the box for the previously assigned policy and check the box for the policy you created that restricts the users' rights to those newly assigned.

Now you can use the policy to assign this management role group to all users through the RBAC Manager. Just press the Show Assignment Policies button, select the Default Role Assignment Policy , and assign the management role group you created.

Assigning the policy to the appropriate users grants them the rights you have assigned to the management role group. To discover which policy is assigned to a user, check the settings for the corresponding mailbox. On Exchange Server 2013, you will find the setting in Recipient | Mailbox Features . If you are making major changes, it is useful to restart the Exchange Server.

A naming policy for groups allows for standardization of distribution groups created by users and other administrators in your organization. You can stipulate that new distribution group names start with a specific prefix and end with a specific suffix, and you can also prohibit the use of certain words.

Ignored Policies

Group naming rules are applied to groups that are created by users. If you or other administrators use the Exchange Management Console to create distribution groups, the group naming policy is ignored.

It is best to create group naming policies in the Exchange Management Console:

  • Select Groups | More | Configure group naming policies
  • In the Group Naming Policy section of the dialog, configure a prefix or suffix by selecting either Attribute or Text in the appropriate drop-down box (Figure 5). After entering the desired text string, press OK . The text string entered or the selected attribute is displayed as a link. Clicking on the link lets you change the text string or the attribute.
Figure 5: Creating a new group naming policy.
  • To add more prefixes, click Add .

In the Exchange Management Shell, you can also manage the policy you created. To do this, use:

Get-OrganizationConfig | fl DistributionGroupNamingPolicy

Additionally, you can run the following cmdlet:

New-DistributionGroup -Name "<Group>" -IgnoreNamingPolicy

to override a group naming policy.

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus