30 aprilie 2012 19:26
We have some exchange functions split among the exchange admins and our help desk. We are migrating from 2003 to 2010 sp2 and noticed that manage full access permissions is not something our help desk can do in the 2010 environment, but they can do so in 2003. I thought the perms I gave the group was sufficient to do what they need to do so they can do their jobs, but it turns out that in order to be able to manage full access permissions on 2010 mailboxes, they need the "feature" called permissions and delegation. Unfortunately that feature is allocated to the organization management role. Well, that's no good. We don't want to add that role to the help desk as we are working to only allocate what they need and that is just too much freedom. I am assuming we can'd add the permissions and delegation feature to the help desk group, but I am posting this out here just in case there is a way we can do so and I just haven't it yet. Is this even possible? THanks. : )
30 aprilie 2012 19:57
Exchange 2010 utilizes RBAC so you can create a custome group and assign proper roles
quick view of the roles:
- Editat de Halo-NEXT 30 aprilie 2012 19:59
30 aprilie 2012 20:08Thanks, I understand that. What I am trying to do is add a specific role to the group. For instance, I added the mail recipient creation and mail recipient roles to our help desk group. But a feature of the Org management group is called permissions and delegation, which allows for the "manage full access" option. I am trying to find out if there is a way to add that feature to the help desk group without having to add the role to which it belongs. Thanks. : )
30 aprilie 2012 21:36
what you can do is to create a custom group add roles and remove certain cmlets from those roles.
kind of like in this example:
1 mai 2012 23:50
that would be great. Unfortunately, even after reading the information in the link twice, I am having a hard time with it, because what I need to do is be able to disect the role and the role group to even attempt to create a custom role/role group. The reason I say this is because the permission is a permission that is required to manage recipients (recipient provisioning permissions). The permission (or feature as they call it) is called "Permissions and Delegation", and it resides in the organization management group. The link above is basically telling me to create a child role group under the existing group, throw the organization management group in there and remove what I don't want, which in this case would be everything except the one piece.
what this means is that it is like trying to remove everything except the needle from the haystack. That would be fine if I even knew how to go about perusing what is in the role group so I would know what to remove. It's kind of hard to go about this way. it is like being told to clean out the garage, but to save one box, but there is no description of what the box looks like. is there a way I can "look at the innards" of the role group so I can know how to clean it up, or better yet, take the piece I need to add to the existing group? Sorry, I'm not trying to be difficult, but I don't even know where to start. Thank you.
2 mai 2012 03:05ModeratorDo you just want the admin only has the permission to manage full access? To manage the Full Access is using the cmdlet add-MailboxPermission. You can custom a new role only have this entry and assign it to the admin and have a try. I didn't find an article to answer your question directly so I think you can try and post your result. If it still doesn't work, we can discuss then.
Jack Zhou - MSFT
9 mai 2012 20:45
OK, I have spent a great deal of time working this issue and have found a total paradox to this situation.
I want to give a management role group permissions to manage permissions on a mailbox.
this right (role entry) translates to the cmdlet add-mailboxpermission.
it turns out that this role entry resides in the mail recipients role.
the group already has that role assigned.
when I look up information on running the cmdlet, it says I need certain permissions to run the cmdlet or the emc equivalent: http://technet.microsoft.com/en-us/library/bb676551.aspx
when I look up the link from this link to see what perms are needed, it says I need to be in the organization managment role group!
Huh!?!?!?!?!? this makes no sense. why do i need to be a member of org mgmt if the role entry resides in a role that is already assigned to the group??????? the group can't be a member of org mgmt in our environment. so why isn't the mail recipients role sufficient if it contains the add-mailbox permssion role entry?