Lead Image © Isaac Marzioli, 123RF.com

Hands-on Exchange rights management

Rigorous Rights

Starting with Exchange 2013, Microsoft changed its messaging server to role-based access control (RBAC). Among other things, this approach makes it easier for Windows administrators to manage user rights.

Two types of roles can be assigned: end user and administrator. Administrator roles include permissions that can be assigned to administrators who manage a particular area of the Exchange organization. If a user is a member of several role groups, Exchange grants the user the privileges of these groups.

End-user roles begin with a prefix of My. For example, members of the MyDistributionGroups user role are allowed to create their own distribution groups and delete their own groups. This is not always desirable in an enterprise environment. By modifying the permissions, you can revoke these rights for normal users. The easiest way is to create a new role based on the existing MyDistributionGroups user role, then revoke the rights and assign the role to your users.

For existing role groups, whether administrative or end-user, you can add or remove roles and add or remove members.

When you copy a role group, you create a new name and optionally add or remove roles to the new group, all without affecting the original role group.

For standard groups, it makes sense to make copies before you change the groups.

In Exchange Server 2013, the administrative role groups are located in the Permissions area. The Get-RoleGroup commandlet (cmdlet) lets you check out the various groups in the management shell. Get-RoleGroupMember shows the members of a group (e.g., Get-RoleGroupMember "Organization Management"). To add a user to a group, you can use the Exchange Management Console (Figure 1) or the Exchange Management Shell:

Add-RoleGroupMember "<management role

Buy ADMIN Magazine

SINGLE ISSUES

Print Issues

Digital Issues

 

SUBSCRIPTIONS

Print Subs

Digisubs

 

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia