locked
Delegating Manage Full-Access Permisisons RRS feed

  • Question

  • Hello,

    I believe I may be having an issue with removing the Manage Full-Access permissions for users that manage mailboxes.  I created a new role group in Exchange 2010 SP2 and assigned the group the following roles: Distribution Group, Mail Enabled Public Folders, Mail Recipient Creation and Mail Recipients.

    When I add the Mail Recipients role the user is allowed the manage the mailboxes which is fine but the user also get's the Manage Full-Access Permissions to add/remove themselves or other users from mailboxes.

    Is there a way or role that can be added to allow the user to manage the mailbox but not the full-access permissions?

    Thank you,

    Ryan

    Wednesday, June 20, 2012 4:15 PM

Answers

  • Hi James,

    I'm afraid members of Recipient Management Role Group can still delegate the full access permission as the "Mail Recipients" Management Role is assigned to the group.

    Ryan,

    For you scenario, you can create a custom Role as a child of Mail Recipients Role, after that, remove the "Add-Mailboxpermission" role entry(and any other entries which you don't want, e.g. Remove-Mailboxpermission), then assign the custom Role to the new Role Group.

    Create a Role

    http://technet.microsoft.com/en-us/library/dd351214.aspx

    Remove a Role Entry from a Role

    http://technet.microsoft.com/en-us/library/dd297947


    Frank Wang

    TechNet Community Support

    • Marked as answer by Ryan_Tech Thursday, June 21, 2012 3:17 PM
    Thursday, June 21, 2012 6:53 AM

All replies

  • That is because the mail recipients role has add-mailboxpermission as an allowed cmdlet. If they just need basic recipient managmeent like help desk roles just add them into the default exchange group "recipient management" which doesnt grant mailbox permission rights.

    To view the rights assigned to the mail recipients role:

    Get-ManagementRoleEntry `Mail recipients\*'


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com


    Wednesday, June 20, 2012 7:12 PM
  • Hi James,

    I'm afraid members of Recipient Management Role Group can still delegate the full access permission as the "Mail Recipients" Management Role is assigned to the group.

    Ryan,

    For you scenario, you can create a custom Role as a child of Mail Recipients Role, after that, remove the "Add-Mailboxpermission" role entry(and any other entries which you don't want, e.g. Remove-Mailboxpermission), then assign the custom Role to the new Role Group.

    Create a Role

    http://technet.microsoft.com/en-us/library/dd351214.aspx

    Remove a Role Entry from a Role

    http://technet.microsoft.com/en-us/library/dd297947


    Frank Wang

    TechNet Community Support

    • Marked as answer by Ryan_Tech Thursday, June 21, 2012 3:17 PM
    Thursday, June 21, 2012 6:53 AM
  • You are correct, the recipient managment role does have rights to manage mailbox perms for some reason I thought it didnt.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, June 21, 2012 1:52 PM
  • Hi Frank,

    This worked perfectly!  Thank you very much it's exactly what I was trying to accomplish.

    Thanks for your reply too James...

    Ryan


    • Edited by Ryan_Tech Thursday, June 21, 2012 3:21 PM Update
    Thursday, June 21, 2012 3:20 PM