Remove From My Forums

Add second Besadmin to ManagementRoleAssignment "BES Admin EWS"

Question
0

Sign in to vote

Hello,
I have created ManagementRoleAssignment -Name "BES Admin EWS" and add user Besadmin1, use the following command:
New-ManagementRoleAssignment -Name "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin1"

when I try to add second Besadmin2 to the "BES Admin EWS" I got the following error

New-ManagementRoleAssignment -Name "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin2"

The object 'CN=BES Admin EWS,CN=Role Assignments,CN=RBAC,CN=companymail,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local' already exists.

Because "BES Admin EWS" already exist.
Please advice how to add second user (Beasadmin2) to "BES Admin EWS"
Thank you

Saturday, September 17, 2011 2:33 PM

Answers

0

Sign in to vote
Something like:

New-ManagementRoleAssignment -Name "BES Admin EWS2" -Role ApplicationImpersonation -User "BESAdmin2"

Or you could create a security group that contains bith accounts and assign the role that way.

Role Assignment Names are unique.
- Marked as answer by MarioTunes Monday, September 19, 2011 1:40 PM
Saturday, September 17, 2011 2:50 PM
0

Sign in to vote
If you want a single security group, then create the group in AD, add the BES accounts to the security and create the assignment:

New-ManagementRoleAssignment -Name "BES Impersonation" -Role ApplicationImpersonation -SecurityGroup "BES Impersonation Group"
http://technet.microsoft.com/en-us/library/dd335193.aspx

To Remove the current role assignment from BES Admin EWS:

http://technet.microsoft.com/en-us/library/dd351205.aspx

Remove-ManagementRoleAssignment
- Marked as answer by MarioTunes Monday, September 19, 2011 1:39 PM
Sunday, September 18, 2011 11:40 AM

All replies

0

Sign in to vote
Something like:

New-ManagementRoleAssignment -Name "BES Admin EWS2" -Role ApplicationImpersonation -User "BESAdmin2"

Or you could create a security group that contains bith accounts and assign the role that way.

Role Assignment Names are unique.
- Marked as answer by MarioTunes Monday, September 19, 2011 1:40 PM
Saturday, September 17, 2011 2:50 PM
0

Sign in to vote

Hello AndyD,

I am already have "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin1" it was done before.

Would you recommend:

1) Create new "BES Admin EWS2"

2) Remove user Besadmin1 from "BES Admin EWS", create new security group and add bouth users Besadmin1 and Besadmin2 to new security group and add group to the "BES Admin EWS"?

If you recommend 2, could you please give me step by step instruction.

Thank you

Sunday, September 18, 2011 1:54 AM
0

Sign in to vote
If you want a single security group, then create the group in AD, add the BES accounts to the security and create the assignment:

New-ManagementRoleAssignment -Name "BES Impersonation" -Role ApplicationImpersonation -SecurityGroup "BES Impersonation Group"
http://technet.microsoft.com/en-us/library/dd335193.aspx

To Remove the current role assignment from BES Admin EWS:

http://technet.microsoft.com/en-us/library/dd351205.aspx

Remove-ManagementRoleAssignment
- Marked as answer by MarioTunes Monday, September 19, 2011 1:39 PM
Sunday, September 18, 2011 11:40 AM
0

Sign in to vote
Thank you for your answer.

What type of Security group I should create Global or Universal ?

I have created Universal
- Edited by MarioTunes Monday, September 19, 2011 1:46 PM
Monday, September 19, 2011 1:39 PM
0

Sign in to vote

Hi MarioTunes,

You can create a new Role Group.

Create a Role Group

http://technet.microsoft.com/en-us/library/dd638209.aspx

Understanding Management Role Groups

http://technet.microsoft.com/en-us/library/dd638105.aspx

Frank Wang

Tuesday, September 20, 2011 9:27 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Add second Besadmin to ManagementRoleAssignment "BES Admin EWS"

Question

Answers

All replies