Finding Current Split Permission
-
9. června 2012 7:49
Hi !
if i walk into an exchange organization with enough rights, how can i quickly find is that based on shared permission, AD Split permissions or RBAC split permissions ?
maybe some method is digging into users groups and roles (which may have been manipulated and changed or maybe test some cmdlets and ...
anyway is there any quick way like viewing an option or run a command to find that ?
thanks
Všechny reakce
-
9. června 2012 8:16
Hi,
there is no way to determine if Exchange is installed using split permissions or not.
The best way will be to dig into RBAC and check the roles and the permissions which are delegated to these roles.
Split permissions meens that Exchange is installed and basically configured to seperate the administration of Active Directory userer accounts from the administering mailboxes for that users. But is is implemented by Role Based Access Control (RBAC). You will find further information about RBAC and how to configure Roles and permissions http://technet.microsoft.com/en-us/library/dd638106.aspx
regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
-
9. června 2012 8:47
thanks
i knew that
i am using split model but i liked to know it is AD split permissions or RBAC
anyway i changed it to RBAC (so it seems to have been AD)
but again i can not create a mailbox
as the link says in AD split model the user should be created in AD and then enable mailbox
but now i am in RBAC and the user with that i logged on (administrator) is member of exchange organization and mail recipients but again "new-mailbox" cmdlet is not available !
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/8adad972-c5eb-45e8-8586-281684952e69/
- Upravený MohammadG 9. června 2012 8:51
-
9. června 2012 9:28
Try the below links out and see if it resolve your problem.
http://technet.microsoft.com/en-us/library/dd638155.aspx
http://technet.microsoft.com/en-us/library/dd638106.aspx
Girishp
-
9. června 2012 9:49
i certainly read those but did not find my answer
as u see it says :
With Active Directory split permissions, the creation of security principals in the Active Directory domain partition, such as mailboxes and distribution groups, must be performed using Active Directory management tools
so i moved to RBAC in order to be able to create a user and his mailbox in EMC with administrator user which is member of organization management (not to first go to ADUC and create user and then enable it in EMC)
but again i am not able !
is there anything wrong or i am misunderstood and this situation can only be achieved in shared permission model ?
-
9. června 2012 10:34
Refer the below article for your reference
Girishp
-
9. června 2012 10:38
I think you made a mistake
this is the link to this post itself :D
-
9. června 2012 11:21
ok
This is correct link in resolving your problem.
Girishp
-
9. června 2012 11:46
sorry but not worked again ! i tried this time on my mailbox server
and i think it was predicatable
when i can not create it in my hub/cas server so i can not do that in any other exchange server including mailbox
again the same error
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
Test
Failed
Error:
The term 'New-Mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
Exchange Management Shell command attempted:
New-Mailbox -Name 'Test' -Alias 'Test' -UserPrincipalName 'Test@test.com' -SamAccountName 'Test' -FirstName 'Test' -Initials '' -LastName '' -Password 'System.Security.SecureString' -ResetPasswordOnNextLogon $false
Elapsed Time: 00:00:00
maybe i am misunderstanding RBAC Split mode
it seems that in none of AD Split mode or RBAC split mode we can use new-mailbox command and the user should be first created in AD
if this is true , it is bad
-
9. června 2012 12:59
Following information is available in above article
I think you were selected to use the split model permission when you installed Exchange 2010 (it was a check box during installation).
You need to follow the instructions for "Switch from RBAC split permissions to shared permissions "
Try below article Configure Exchange 2010 for Shared Permissions
http://technet.microsoft.com/en-us/library/dd638146.aspx
you would need to create accounts in ADUC first and then use the command enable-mailbox to give an account a mailbox.
Girishp
-
9. června 2012 13:04
Ok
I did that
i changed to shared permission and now i have new-mailbox command and it is ok
but what i wanted to test and implement was RBAC. i do not want AD admins and delegated users to do anything in exchange
as a matter of fact in our organization exchange admins are the main person. they should be able to create users and mailboxes
but ad admins should just create users and do some domain partition changes like user creation, groupings and ...
shouldn't i use RBAC for that ?
or maybe i should use RBAC but do some modifications in groups (both in AD and exchange role groups ) ??
-
11. června 2012 15:57
Hi,
yes you should use RBAC (or perhaps check the default configuration of RBAC) because this technology is the only one that grants permissions to users in order to administer mailboxes.
regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
- Navržen jako odpověď wendy_liuMicrosoft Contingent Staff, Moderator 13. června 2012 9:51
- Označen jako odpověď MohammadG 13. června 2012 10:03
.png)
