How to move your mail infrastructure away from Lotus Notes

Tuesday, 10 March 2015

How to Configure Split Permissions in Exchange Server 2010

How to Configure Split Permissions in Exchange Server 2010:



'via Blog this'



How to Configure Split Permissions in Exchange Server 2010



Split permissions, as the name suggests, split the permissions between Exchange and Active Directory management. Exchange Server 2010 provides us the mechanism through which we can configure Exchange and Active Directory administrators in such a way they can't manipulate or interfere in each other's roles. For example, Active Directory administrators can create user accounts, but Exchange can't delete those accounts.
Exchange Server supports two permission models:-
· Shared permissions (Exchange Server 2010 default)
· Split permissions
Shared Permissions
This is the default permission model in Exchange Server 2010 and we don't need to configure anything to implement this model. This model does not separate Exchange and Active Directory objects. It allows authorized Active Directory users to create, modify and delete Exchange objects.
Split Permissions
Split permission can be configure when your organization want to separate Active Directory and Exchange management. Once split permissions are configured correctly, the Active Directory users will only be able to create new user accounts, whereas, Exchange administrators can only modify those objects.
In this article, we will learn how to configure Exchange Server 2010 so that only Active Directory administrators can create new user accounts, which means that Exchange administrators won't be able to run the below Cmdlets:-
· New-MailUser
· New-Mailbox
· New-MailContact
· New-LinkedUser
· Remove-MailUser
· Remove-Mailbox
· Remove-LinkedUser
· Remove-MailContact
· Add-MailboxPermission
· Add-MailboxFolderPermission
Run below commands to implement the above scenario:-
1. Run the below command to create a role group for the Active Directory administrators. And also, it will assign the role of Mail Recipient Creation and Security Group Creation and Membership to this newly create role group:-
New-RoleGroup "AD Admins" -Roles "Mail Recipient Creation", "Security Group Creation and Management"
2. Next step is to delegate Mail Recipient Creation role to the above role group:-
New-ManagementRoleAssignment "ADAdmins_CreateMailRecipiet_Delegation" -Role "Mail Recipient Creation" -SecurityGroup "AD Admins" -Delegating
3. Also delegate the Security Group Creation and Membership role to the newly created role group in step-1
New-ManagementRoleAssignment "SecurityGroupCreationAndMembership_delegating" -Role "Mail Recipient Creation" -SecurityGroup "AD Admins" -Delegating
4. Now add the members to the role group created in step-1
Add-RoleGroupMember "AD Admins" -Member <user to add>
5. Set the role group so that members of this group can only add or delete members.
Set-RoleGroup "AD Admins" -ManagedBy "AD Admins"
6. Find role assignments to the Mail Recipient Creation and Security Group Creation and Management role by running these commands:-
· Get-ManagementRoleAssignment -Role "Mail Recipient Creation"
· Get-ManagementRoleAssignment -Role "Security Group Creation and Management"
7. Remove all role assignments to the Mail Recipient Creation and Security Group Creation and Management role by running these commands:-
· Remove-ManagementRoleAssignment <Mail Recipient Creation role assignment to remove>
· Remove-ManagementRoleAssignment <Security Group Creation and Management role assignment to remove>

0 comments :

Post a Comment

Thank you for taking the time to comment. Your opinion is important and of value and we appreciate the positive feedback! If you are "Negative Nancy" then please do us, and humanity, a favor, and piss off.

Total Pageviews

Google+ Followers

Pages

Blog Archive

Popular Posts

Recent Comments

Rays Twitter feed

Ads

Web sites come and go and information is lost and therefore some pages are archived. @rayd123 . Powered by Blogger.