Split permissions, as the name suggests, split the permissions between Exchange and Active Directory management. Exchange Server 2010 provides us the mechanism through which we can configure Exchange and Active Directory administrators in such a way they can't manipulate or interfere in each other's roles. For example, Active Directory administrators can create user accounts, but Exchange can't delete those accounts.
Exchange Server supports two permission models:-
· Shared permissions (Exchange Server 2010 default)
· Split permissions
Shared Permissions
This is the default permission model in Exchange Server 2010 and we don't need to configure anything to implement this model. This model does not separate Exchange and Active Directory objects. It allows authorized Active Directory users to create, modify and delete Exchange objects.
Split Permissions
Split permission can be configure when your organization want to separate Active Directory and Exchange management. Once split permissions are configured correctly, the Active Directory users will only be able to create new user accounts, whereas, Exchange administrators can only modify those objects.
In this article, we will learn how to configure Exchange Server 2010 so that only Active Directory administrators can create new user accounts, which means that Exchange administrators won't be able to run the below Cmdlets:-
· New-MailUser
· New-Mailbox
· New-MailContact
· New-LinkedUser
· Remove-MailUser
· Remove-Mailbox
· Remove-LinkedUser
· Remove-MailContact
· Add-MailboxPermission
· Add-MailboxFolderPermission
Run below commands to implement the above scenario:-
1. Run the below command to create a role group for the Active Directory administrators. And also, it will assign the role of Mail Recipient Creation and Security Group Creation and Membership to this newly create role group:-
New-RoleGroup "ADÂ Admins" -Roles "Mail Recipient Creation", "Security Group Creation and Management"
2. Next step is to delegate Mail Recipient Creation role to the above role group:-
New-ManagementRoleAssignment
"ADAdmins_CreateMailRecipiet_Delegation" -Role "Mail Recipient
Creation" -SecurityGroup "AD Admins" -Delegating
3. Also delegate the Security Group Creation and Membership role to the newly created role group in step-1
New-ManagementRoleAssignment
"SecurityGroupCreationAndMembership_delegating" -Role "Mail Recipient
Creation" -SecurityGroup "AD Admins" -Delegating
4. Now add the members to the role group created in step-1
Add-RoleGroupMember "AD Admins" -Member <user to add>
5. Set the role group so that members of this group can only add or delete members.
Set-RoleGroup "AD Admins" -ManagedBy "AD Admins"
6. Find role assignments to the Mail Recipient Creation and Security Group Creation and Management role by running these commands:-
· Get-ManagementRoleAssignment -Role "Mail Recipient Creation"
· Get-ManagementRoleAssignment -Role "Security Group Creation and Management"
7. Remove all role assignments to the Mail Recipient Creation and Security Group Creation and Management role by running these commands:-
· Remove-ManagementRoleAssignment <Mail Recipient Creation role assignment to remove>
· Remove-ManagementRoleAssignment <Security Group Creation and Management role assignment to remove>
No comments:
Post a Comment