Exchange 2010 – How to manage Roles

Exchange 2010 has introduced a new way to manage access to administrators. Instead of the traditional Active Directory access control entry (ACE) based authorization model which was used in Exchange 2007 it now uses Role Based Access Control (RBAC).

As an Exchange administrator this allows you to delegate access in a much more granular way instead of an all or nothing approach.

RBAC can managed by roles or role groups. Role groups have and Active Directory security group, which gives you the advantage of managing it from Active Directory Users and Computers.

To be able to grant or remove role assignments you will need to use an account which is a member of the ‘Organization Management’ role group.

In the examples below we will be working with the ‘Mailbox Import Export’ role.

How to grant the ‘Mailbox Import Export’ role

Exchange roles can be assigned to individual user accounts or security groups.

Assign the role to a user account

In this example we will be using the Exchange Management Shell to assign the ‘Mailbox Import Export’ role to the ‘Bob Builder’ user account.

This will give the account access to run import and export requests on mailboxes.

To assign the role run the following PowerShell commandlet:

New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "Bob Builder"

MSExchange2010-ManageRole1

Assign the role to a security group

In this example we will be assigning the ‘Mailbox Import Export’ role to the ‘HelpDesk’ security group.

To assign the role to a security group you can use the following commandlet.

New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup HelpDesk

MSExchange2010-ImportExport3

How to remove the ‘Mailbox Import Export’ role

In this example we will be using the Exchange Management Shell to remove the ‘Mailbox Import Export’ role from the ‘Bob Builder’ user account.

To un-assign the role run the following PowerShell commandlet:

Get-ManagementRoleAssignment | Where {$_.Role -eq "Mailbox Import Export" -and $_.RoleAssigneeName -eq "Bob Builder"}| Remove-ManagementRoleAssignment

MSExchange2010-ManageRole3</p

How to list members of the ‘Mailbox Import Export’ role

The following PowerShell commandlet will display which user accounts have the ‘Mailbox Import Export’ role assigned.

It will include users which have been granted the role as an individual or by group membership (i.e. a group they’re a member of has been granted the role).

Get-ManagementRoleAssignment -Role "Mailbox Import Export" -GetEffectiveUsers | select EffectiveUserName -Unique

MSExchange2010-ManageRole2