Sign in
 
HomeOnline20132010Other VersionsLibraryForumsGalleryEHLO Blog
TechCenter >
Exchange 2010 SP2 Multi Tenant (How to create a Tenant Admin)

Unanswered Exchange 2010 SP2 Multi Tenant (How to create a Tenant Admin)

  • Friday, June 22, 2012 5:40 AM
     
     
    Sign In to Vote
    0

    Hi Team

    As there is no hosting switches available with SP2 how do we create a tenant Administrator?

    With SP1 the we were able to create Administrator while creating new organization.

    Also how would the Tenant Administrator manage the user/groups/contacts/mailboxes, etc?

    Any pointers are appreciated

    I have installed Exchange 2010 SP2 and followed the below steps to create first tenant

    Step 1

    Import-Module ActiveDirectory
    $connect = "LDAP://dc1/OU=Tenants,DC=macd,DC=com"
    $ad = [ADSI]$connect
    $ou = $ad.Create("OrganizationalUnit", "ou=KFC")
    $ou.SetInfo()

    Step 2
    create the UPN:

    Set-ADForest -Identity macd.com -UPNSuffixes @{Add="KFC.com"}


    Step 3
    Create Accepted Domain

    New-AcceptedDomain -Name "KFC" -DomainName KFC.com -DomainType:Authoritative


    Step 4
    Create Global Address List

    New-GlobalAddressList -Name "KFC - GAL" -ConditionalCustomAttribute1 "KFC" -IncludedRecipients MailboxUsers -RecipientContainer "macd.com/Tenants/KFC"


    Step 5
    Create All Rooms Address List

    New-AddressList -Name "KFC - All Rooms" -RecipientFilter "(CustomAttribute1 -eq 'KFC') -and (RecipientDisplayType -eq 'ConferenceRoomMailbox')" -RecipientContainer "macd.com/Tenants/KFC"


    Step 6
    Create All Users Address List

    New-AddressList -Name "KFC - All Users" -RecipientFilter "(CustomAttribute1 -eq 'KFC') -and (ObjectClass -eq 'User')" -RecipientContainer "macd.com/Tenants/KFC"


    Step 7
    Create All Contacts Address List

    New-AddressList -Name "KFC - All Contacts" -RecipientFilter "(CustomAttribute1 -eq 'KFC') -and (ObjectClass -eq 'Contact')" -RecipientContainer "macd.com/Tenants/KFC"

    Step 8
    Create All Groups Address List

    New-AddressList -Name "KFC - All Groups" -RecipientFilter "(CustomAttribute1 -eq 'KFC') -and (ObjectClass -eq 'Group')" -RecipientContainer "macd.com/Tenants/KFC"


    Step 9
    Create the Offline Address Book

    New-OfflineAddressBook -Name "KFC" -AddressLists "KFC - GAL"


    Step 10
    Create the Email Address Policy

    New-EmailAddressPolicy -Name "KFC - EAP" -RecipientContainer "macd.com/Tenants/KFC" -IncludedRecipients "AllRecipients" -ConditionalCustomAttribute1 "KFC" -EnabledEmailAddressTemplates "SMTP:%m@KFC.com","smtp:%g.%s@KFC.com"


    Step 11
    Create the Address Book Policy

    New-AddressBookPolicy -Name "KFC" -AddressLists "KFC - All Users", "KFC - All Contacts", "KFC - All Groups" -GlobalAddressList "KFC - GAL" -OfflineAddressBook "KFC" -RoomList "KFC - All Rooms"


    Step 12
    Create the First User

    $c = Get-Credential
    $u = New-Mailbox -Name 'KFC U1' -Alias 'KFCu1' -OrganizationalUnit 'macd.com/Tenants/KFC' -UserPrincipalName 'KFCu1@KFC.com' -SamAccountName 'KFCu1' -FirstName 'KFC' -LastName 'User 1' -Password $c.password -ResetPasswordOnNextLogon $false -AddressBookPolicy 'KFC'

    Set-Mailbox $u -CustomAttribute1 "KFC"

    Tejas Kotak

     

All Replies

  • Friday, June 22, 2012 10:55 PM
     
     
    Sign In to Vote
    0

    The concept of a tenant admin that exists in /hosting does not exist in on-prem Exchange SP2 with ABP's. If you want to create a user in each virtual org with some additional rights than others, you can, but it doesn't mean they can administer their own virtual org with PowerShell or ECP.

    You need a control panel solution to abstract the management layer on top of Exchange.

    Your first statement that there is no /hosting switch is SP2 is not correct - there is, we just don't recommend new deployments using /hosting any more.

     
  • Monday, June 25, 2012 9:33 AM
     
     
    Sign In to Vote
    0

    Thanks for the response Greg !

    it is kind off compulsory to have control panel solution to have a org admins manage their own org users.

    i have a question on that, if the control panel is able to provide that solution, that means it is using RBAC to manage those layers.

    Could we have some those permission model publised as an article, for the companies/users who does not want to go for control panel solutions?

    Tejas Kotak


    • Edited by Tejas Kotak Monday, June 25, 2012 9:33 AM Spell correction
    •  
     
  • Monday, June 25, 2012 3:57 PM
     
     
    Sign In to Vote
    0

    We have no plans to publish documents specific to this scenario. Though really the secret is in filtering the visible objects, not the permissions. Many RBAC scopes are implicit, meaning you can't change what the user can see (hence the need for filtering) but you can control what they can change. So in some senses, this is an exercise in filtering and RBAC than in RBAC alone.

    No plans to publish what the CP vendors have spent time developing, sorry.