locked
Restricting the use of Remove-Mailbox RRS feed

  • Question

  • Is there some way to restrict the use of the "Remove-Mailbox" command?  Although there is much separation between Exchange 2010 and Active Directory, I accidentally deleted a users Active Directory account by selecting the "Remove" instead of "Disable".

    I want to disable this functionality to help prevent other network administrators from "accidentally" deleting users AD accounts.

    Thursday, August 18, 2011 1:17 PM

Answers

All replies

  • Well, it does tell you it will do that when you use it  :)

    If you want to do this (and I assume this is Exchange 2010 here), I would go the RBAC route and find all the roles that have the remove-maibox role in them:

    Get-ManagementRoleEntry *\Remove-Mailbox

     

    Then either remove that role entry from those roles or better yet, create new manageroles and assignments, remove the default ones and assign those roles ( minus the remove-mailbox command ) to the appropriate groups that need to do the other functions as part of their jobs.

    More on RBAC:
    http://technet.microsoft.com/en-us/library/dd298183.aspx




    If this exch 2007, I might just remove everyone from the Account Operator role except those that need it  :)

     

    Thursday, August 18, 2011 1:31 PM
  • Yes - this is for Exchange 2010 and yes it does put a prompted dialog box on the screen, but some of the other network admins do not work with Exchange 2010 as much.

    The results of running "Get-ManagementRoleEntry *\Remove-Mailbox" are:

    [PS] C:\>Get-ManagementRoleEntry *\Remove-Mailbox

    Name                           Role                      Parameters
    ----                           ----                      ----------
    Remove-Mailbox                 Mail Recipient Creation   {Arbitration, Confirm, Database, Debug, DomainController,

     

    Tony Redmond in the Microsoft Exchange 2010 Inside Out box has a box on pages 153 -154 that provides the following Powershell commands:

    Get-ManagementRoleAssignment -Role "Mail Recipient Creation" -Delegating $False | Remove-ManagementRoleAssignment

    The following are the results.  I responded no to all prompts until I can better understand what could happen.

    Confirm
    Are you sure you want to perform this action?
    Removing the "Mail Recipient Creation-Organization Management" management role assignment object. The following
    properties were configured: management role "Mail Recipient Creation", role assignee "mh.local/Microsoft Exchange
    Security Groups/Organization Management", delegation type "Regular", recipient write scope "Organization", and
    configure write scope "OrganizationConfig".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): n

    Confirm
    Are you sure you want to perform this action?
    Removing the "Mail Recipient Creation-Recipient Management" management role assignment object. The following properties
     were configured: management role "Mail Recipient Creation", role assignee "mh.local/Microsoft Exchange Security
    Groups/Recipient Management", delegation type "Regular", recipient write scope "Organization", and configure write
    scope "OrganizationConfig".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): n

    Confirm
    Are you sure you want to perform this action?
    Removing the "Mail Recipient Creation-Test" management role assignment object. The following properties were
    configured: management role "Mail Recipient Creation", role assignee "mh.local/Microsoft Exchange Security
    Groups/Test", delegation type "Regular", recipient write scope "Organization", and configure write scope
    "OrganizationConfig".
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): n

     

     

    Thursday, August 18, 2011 1:47 PM
    • Marked as answer by DaWaJa Thursday, August 18, 2011 7:00 PM
    Thursday, August 18, 2011 3:31 PM