Exchange Server 2010 Video – RBAC for Administrators


The way we control security and Exchange Server 2010 is using Role-Based Access Control or what we call RBAC. Now RBAC isn't a new thing in the IT industry. This video is part of a full training course called EXCH2010: Designing and Implementing Microsoft Exchange Server 2010.

To help introduce Interface Video Training, the first 18 videos in this Microsoft Exchange Server 2010 course are available for free below. The entire Video Training Library is available for only $25 per month.

Instructor: Mike Pfeiffer, Microsoft MVP
Video Style: Screencast
View the entire Exchange Server 2010 Course

Microsoft Exchange Server Server 2010 online video training Interface Technical Training

Video transcript:
How to use RBAC for Administrators – Role Based Access Control in Exchange Server 2010

The way we control security and Exchange Server 2010 is using Role-Based Access Control or what we call RBAC. Now RBAC isn't a new thing in the IT industry. It's been around for a long time but it is new to the Microsoft products. The idea is we want to give you a level of access based on your role. Like for example we're looking at this Organization Unit (OU) here with these groups.

We've got a Help Desk group. Now this OU, this Exchange security groups OU, this is created when you run your prepare AD when you’re doing your initial Exchange set‑up for Active Directory. So this gets created and all of these groups gets set‑up, so we get a handful of groups out here, some default permissions. This is the stuff that Microsoft thinks that people will generally need to do out of the box. So helpdesk, this is just a typical security group and Active Directory but it also referred to an Exchanges role group.

But just like you would do with regular groups, you just add users to this group.

What happens is when they log in to the Exchange tools they get a set of PowerShell cmdlets. They get loaded up. Now this might be you know obviously in a shell they are going to get cmdlets but they are also going to get these cmdlets when they are running the graphical tools because that's what is running when they are making changes in the graphical tools as well.

So helpdesk might get you some basic features. Organization management is kind of like think about this as like your domain admin's group and active directory.

For an organization management is that for Exchange and if you look at the properties, the administrator account and then I ran my initial preparation with this in here. Also added my own account in here and that's how I've been able to see all of the administration features in the Exchange tools thus far. Manually add my account in here.

So if you want to give somebody full access to Exchange Server, you would add them to this group. So these are the role groups and then they have something assigned to them called roles. Roles are really just a list of cmdlets but the main two tools that you use to manage RBAC are the shell and the Exchange control panel.

Notice here I'm under Manage My Organization.

I'm under roles and auditing. If the administrator role, the same list that groups that we were just looking at, are listed here.

You can add administrators to these groups as well thru the graphical web console or you could just do it in active directory.

Now let's take a look at our helpdesk role here. I'll highlight this. Over on the right hand side you'll see there is a list of assigned roles.

So here there's a user options and view only recipients. So these are two very basic roles that are assigned.

So I put somebody in the helpdesk group, they get these two roles, which are basically a list of PowerShell cmdlets.

So let me show you what this looks like real quick. Let me bring up the shell. I'll show how you can see the list of cmdlets that are available in these roles. So if you do a get management role entry and use the special syntax where you put the role name in and let's say View-Only Recipients and finally use a slash star to tell this command to show me all the cmdlets there in this role.

As you can see here, there's a bunch of get cmdlets. So this is kind of giving me read only access.

If I wanted to change something, I would use set cmdlets.

The fact that this is a view only role means that I'm mainly getting get cmdlets for the most part, which makes sense. And so if the idea is I put myself for another in that helpdesk group, they’re going to get this role because the role is assigned to the group and they are going to get this list of cmdlets and the same thing for the next role and so on.

So this could get complicated very quickly and so the recommendation is just to use these built‑in groups.

There's one for server management. You can put users in there. They'll be able to manage just the servers in you environment and not touch the recipients. One thing we keep in mind though is these role groups by default they have something called the scope.

So notice here we've got right scope of default and then we have the ability to change it to an organizational unit. Now the right scope by default is going to be organization wide.

So this means if I put somebody in server management, they’re going to be able to change settings on any server in the entire Exchange organization. What some folks won't do to kind of limit user's access or administrator's access is create a custom role based on, custom role group, based on these roles here and then they'll create a custom scope such as an organizational unit and they'll only be able to manage servers in that specific OU or users in that specific OU.

So let's take a look on how this works. If you want to create a custom role group, you click on this new button here.

So let's create a custom role group to create recipients in a specific OU and we'll call it new employees and I want to scope that down to, I want to give certain administrators the ability to create new accounts in this OU but not organization wide. The distinguish name of the organizational unit in here and then I would need to assign the roles.

So I know that the new mailbox cmdlet is used to normally do this, both in the shell and in the graphical console, but I don't know what role that is so I need to search for that in the shell. What I can do is a get management role entry. This would be similar to the previous syntax but instead I'll do a star slash new mailbox.

Basically telling the shell to give me all the roles that our there than contain this cmdlet and when I get back here as a mail recipient creation.

So I know if I assign this role via this role group that users will end up with this cmdlet so I could give my administrators the ability to create new mailboxes in that particular OU. There's something that I can do to make this easier on myself. So I'm just going to copy this, so right click, highlight, select, copy. Under a roles click on add. I'll pick that role from the list and that to this role group.

Finally, I'll scroll down and look for my members and let's say that I got an administrator out there called Bob Smith. He's going to be responsible for creating users in this OU.

So what will happen here is when I create this role group, a new active directory security group will get created with this name. It will be assigned this RBAC role, which will give any user in the group that list of cmdlets. So let's click on save. We go back in the active directory users in the computer. I'll refresh this OU. Here's my new employees group with Bob Smith in it that looks good.

So now let me rename the console as Bob Smith. I'm going to right click while I'm holding down shift on my console icon and run this a different user because I'm already logged in as administrator.

I'm going to run this as Bob Smith. So notice when the console loads up that I'm only seeing a subset of the typical option that you would see when you're logged in, like what the administrator account.

Earlier when I was logged in with an account in the organization management group, I saw a server configuration in here and couple of other thing and now its strip down a little bit. You know if I drill down under here, you can see that even fewer options are available.

That is because this RBAC assignment is only given Bob Smith's account a subset of the cmdlets that are available and then this gets reflected in the graphical console as well.

We do the same thing for the shell. I'm going to hold down shift to right click the shell icon shortcut and run as a different user.

I'll run this as Bob and I'll do B. Smith. So I'm going to do the same process as a regular administrator account.

One thing to note, the number of commands I should get in here would be a little different then a regular administrator.

So I've got all my core PowerShell cmdlets in my Exchange cmdlets that have been assigned via the RBAC role assignment. So Bob Smith gets 537. I've also got my other shell instance open as administrator that we're using earlier.

If I look at that, my get command count shows over a 1,000 cmdlets.

So you can see clearly that I'm using the shell with the user of the house more permissions here a lot more than Bob Smith. Another thing that I can do is I can create that mailbox from here. Click on that process one more time. Create a secure password.

Now create a new mailbox. This time I'll do Fred Smith.

Now when I run that, note something interesting here.

We get an error above my current right scope. This one of those things that RBAC does so by default those built‑in role groups the right scope is organization wide. While I've created a custom role for this user and his right scope was only set to the employees OU. So remember if we go back in and look at this under new employees, look at the right scope here. This is set to employees.

So this is one way that you can control your junior admins. Give them the ability to create recipients but not in this global or organization wide right scope but in their particular scope like the employees OU.

So I can get around this by simply adding the organizational unit parameter to this command and notice that this is in canonical format or you could also enter in this in its distinguish name.

We run this again and see what happens. Now that I've corrected the organizational unit, that command works. Previously it was trying to use the default user's container and that's why I was getting this right scope error.

So that's RBAC from a high level. Keep in mind though, as you can see this can get pretty complicated. Try to make use of this built‑in.

More online training videos from Interface Technical Training.

For Instructor-Led live classes, see our complete Course Schedule. Many courses are available online with RemoteLive™.


Posted in Exchange Server | Posted in , , , , , , , , , , , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">