Exchange 2010 RBAC: Limit management for VIP users


Does your organization require selective permission model who manage permission for CEO or VIP users in an Exchange 2010 organization?

Step 1. Create a new Universal Security Group for all members you want to protect and add all users you want to protect to the new group.

New-DistributionGroup -Name “SEC-GRP-VIP_Restricted_Users” -OrganizationalUnit “adatum.com/Groups” -SamAccountName “SEC-GRP-VIP_Restricted_Users” -Alias “sec-grp-vip_restricted_users” -Notes “Contains members of all restricted VIP users” -Type “Security”

Step 2. Create a new Universal Security Group for administrators that’s allowed to manage all protected users and add the administrators to this new created group.

New-DistributionGroup -Name “SEC-GRP-VIP_Admins” -OrganizationalUnit “adatum.com/Groups” -SamAccountName “SEC-GRP-VIP_Admins” -Alias “sec-grp-vip_admins” -Notes “Contains members that allows to manage restricted VIP users” -Type “Security”

Step 3. Create a “New-ManagementScope” that includes the group of your restricted users. ManagmentScopes are used to define who or what the permission should apply to, this could be OU, Security Groups, Servers or Databases.

New-ManagementScope -Name “VIP_Protected_Managers_ManagementScope” -RecipientRestrictionFilter { MemberOfGroup -eq “cn=SEC-GRP-VIP_Restricted_Users,ou=Groups,dc=adatum,dc=com” } -Exclusive

Step 4. Assign an management role for the new VIP administrators, in this example i´m adding Mail Recipients management role, but you can add any “ManagementRole”. You use role assignment to assign permissions

New-ManagementRoleAssignment -Name “VIP_Protected_Managers_ManagementRoleAssignment” -Role “Mail Recipients” –SecurityGroup “SEC-GRP-VIP_Admins” –ExclusiveRecipientWriteScope “VIP_Protected_Managers_ManagementScope”

This was created on Exchange 2010 SP1.

Built-in Management Roles

Advertisements
This entry was posted in Exchange 2010 and tagged , , , , , , . Bookmark the permalink.

2 Responses to Exchange 2010 RBAC: Limit management for VIP users

  1. Pingback: E2K10 – RABC: Jane the Administrator | Jonson Yang

  2. Mike says:

    Thanks a lot for the useful tips.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s