Need Help with RBAC - Exchange 2010 RRS feed

  • Question

  • Exchange - 2010 (Very Poorly Structured in terms of Administrative Access)

    I am newly Appointed Administrator (Never had experience with RBAC)

    There is a Helpdesk team, I want them to have following permissions on Exchange Org.:

    Active Directory Permissions
    Distribution Groups
    Mail Recipient Creation
    Mail Recipients
    Mailbox Search
    Message Tracking
    Organization Client Access
    POP3 And IMAP4 Protocols
    Transport Hygiene
    Transport Queues
    User Options
    View-Only Configuration

    View-Only Recipients

    Here is what I did:

    1) I Created A User "TESTADMIN"

    2) I created A Group (Helpdesk) using RBAC Tool in EMC

    3) Added Permissions I want to give Users in this Group

    4) Added Users who will be Members of this Group (TESTADMIN for now)

    And I Started Patting my Shoulder (Thinking I did something Great), But NO ! ! !

    1) Firstly, with this TESTADMIN User I am not able to Access Exchange Servers at all (TESTADMIN is very well added in "Remote Desktop Users" group in AD). It says "Connection was denied because The User Account is not Authorized for Remote Login"

    2) "Remote Desktop Users" is very well added in "Allow Logon through Remote Desktop Services" in Local Security Policy of Exchange Server

    3) If I add User TESTADMIN in "Allow Logon Locally" in Local Security Policy of Exchange Server, I am able to secure the Remote desktop Connection but it refuses to Login & gives "Unable to login due to permissions error"

    4) I tried logging in to Domain Controller using this TESTADMIN & I was able to (Only after adding TESTADMIN in "Allow Logon through Remote Desktop Services" in Local Security Policy of Domain Controller (But I am not able to open ADUC, though I delegated Control of One OU to this User)

    WAO . . . I am really typing Too much :O :O :O

    Conclusion, Shall we ;) ???

    I want Helpdesk to have LIMITED Access to DC & also to Exchange (PLEASE HELP :D)

    Thanks in Advance ! ! ! 

    Mohammed Bin Ahmed - Data Center Engineer

    Wednesday, April 17, 2013 9:16 PM


All replies

  • Hi ,

    You can read the following article and understand each management role has what permission. Also exchange has some built-in management role groups, if you don’t want too much permission in role group, you can remove other role in built-in management group or create a custom group with the correct roles. Please remember you need to add the user you want to the management group you created.

    Built-in Management Roles:


    Built-in Role Groups:


    Wendy Liu
    TechNet Community Support

    • Proposed as answer by wendy_liu Thursday, April 25, 2013 2:09 PM
    • Marked as answer by wendy_liu Thursday, April 25, 2013 2:30 PM
    Thursday, April 18, 2013 9:31 AM
  • You might give RBAC manager a try, it simplifies things a bit but you still need to know the correct roles. 


    Thursday, April 18, 2013 1:06 PM