RBAC Made Easy (Part 3)

If you would like to read the other parts in this article series please go to:

In the previous articles of this series we went through the process of creating a simple Admin Role Group using the basic settings. In the last article we created a restricted Admin Role Group containing two Management Roles that we shaped to allow only Contact administration.

In this article, we will create the structure to support a user or group of users in order to manage Distribution Groups only.

Like the previous article, we need to find out first which existent Management Role is able to create a Distribution Group, and for that we can use the cmdlet listed below. The result will show up 3 entries and the first 2 are the ones that we are looking for, as shown in Figure 01.

Get-ManagementRole –Cmdlet New-DistributionGroup

Figure 01

Time to create two new Management Roles for Group Administration using the following cmdlets and the results are shown in Figure 02.

New-ManagementRole _AP_DG_Distribution_Groups –Parent “Distribution Groups”

New-ManagementRole _AP_DG_Security_Group_Creation_and_Membership –Parent “Security Group Creation and Membership”

Figure 02

Now that we have the Management Roles in place, we can create a new user just for testing purposes. The user is going to be a regular user created only in Active Directory (let’s name it user7).

Before creating the Admin Role Group using Exchange Management Shell, we need to know the complete name of our Management Roles created to manage the group and if you do not remember the two that you have just created, please don’t worry. These cmdlets will help us out to get the names and create the Admin Role Group (Figure 03).

Get-ManagementRole _ap_dg*

New-RoleGroup “DG Administration” –Roles _AP_DG_Distribution_Groups,_AP_DG_Security_Group_Creation_and_Membership –Members user7

Figure 03

In this New Role Group, we have not specified the write scope to a specific Organizational Unit because we want to test the functionality at this point.

After creating the new Admin Role Group, we can log on as user7 and the results on the Exchange Admin Center will be similar to those in Figure 04.

Figure 04

If we look at the mail flow we will see the list of the accepted domains, and since we do not want that being displayed we can run the following cmdlet to remove it (Figure 05).

Get-ManagementRoleEntry _ap_dg_*\Get-Mailbox | Remove-ManagementRoleEntry

Figure 05

Now, our test user7 can logoff and log back on again and the results on the Exchange Admin Center are shown in Figure 06.

Figure 06

Combining Contacts and Groups Management Roles…

So far, in this series we created the Management Roles that allow us to delegate the contact and distribution group and now we can put those pieces together to give permissions to a Service Desk group for example.

Let’s say that we have an Organizational Unit named Argentina in the root of our domain, and we can specify apatricio.local/Argentina to define the boundaries where the members of this Admin Role Group can manage Distribution Groups and Contacts.

We also need to add the four Management Roles that we created so far (2 to restrict Contacts and 2 to restrict distribution groups), and the member of this group (in our case a new user called user8). The entire process of adding the OU filter, Management Roles and name are shown in Figure 07.

Figure 07

Time for the test process using user8 (the user that was added to the ARG-Service Desk Admin Role group). The user will have access to create groups and contacts as shown in Figure 08.

Figure 08

In the previous example we created the ARG-ServiceDesk Admin Role Group and we added all 4 (four) Management Roles and the user got all the permissions that we defined which is what we expected.

However, using RBAC permissions, we can have a user in several Admin Role Groups and all those permissions will be added to that specific user. Let’s say that we created a new user and added it to both the Contact Administration (previous article) and also to DG Administration. The result will be the same as the users that belong to the ARG-ServiceDesk group which contains all management roles on it.

Adding Message Tracking for the Service Desk Group

In some situations, we have to add more functionality to any given group and it is always good to test in an Admin Role Group that is not on production servers. Perhaps even create a new one to test, and then document all changes. Finally, perform the changes on the production environment.

Let’s say that we have the ARG-ServiceDesk working fine when they have a restriction to add Groups and Contacts, however they also need to check the message tracking for troubleshooting purposes.

A simple way to do that is to go to the existent Role Admin Group and add the Messaging Track management role, as shown in Figure 09.

Figure 09

However, if any member of this Admin Role Group tries to log on to Exchange Admin Center, we will noticed that we will have servers item on the left and that came as part of the Management Role (Message Tracking) that we have just added, as shown in Figure 10.

Figure 10

The best approach is to create a new Management Role based on the Message Tracking one, and we are going to do just that using the cmdlet listed below (Figure 11).

New-ManagementRole _AP_Message_Tracking –Parent “Message Tracking”

Figure 11

Now, we can list (Figure 12) what we have on the new Management Role by running Get-ManagementRoleEntry _ap_message*\* and by looking at the list we can identify that the Get-Mailbox cmdlet is the one that is bringing those 3 tabs to the recipients. There is also the Get-ExchangeServer cmdlet which is the cause of the item servers being listed.

Figure 12

Let’s start removing the unnecessary entries using the following cmdlets:

Remove-ManagementRoleEntry _AP_Message_Tracking\Get-Maibox

Remove-ManagementRoleEntry _AP_Message_Tracking\Get-ExchangeServer

Since the servers are not going to be listed anymore, we can also remove these entries:

Remove-ManagementRoleEntry _AP_Message_Tracking\Get-ExchangeServerAccessLicense

Remove-ManagementRoleEntry _AP_Message_Tracking\Get-ExchangeServerAccessLicenseUser

Now, we need to change the ARG-ServiceDesk Admin Role and add the new Management Role group that we have just created. Finally, the user can log on and test the new features that are available. The results as we can see (Figure 13) will be only Recipients (with groups and contacts tab) and mail flow.

Figure 13


In this article, we covered the required steps to delegate permissions for Groups and Message Tracking using RBAC.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top