locked
Add second Besadmin to ManagementRoleAssignment "BES Admin EWS" RRS feed

  • Question

  • Hello,
    I have created ManagementRoleAssignment -Name "BES Admin EWS" and add user Besadmin1, use the following command:
    New-ManagementRoleAssignment -Name "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin1"


    when I try to add second Besadmin2 to the "BES Admin EWS" I got the following error


    New-ManagementRoleAssignment -Name "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin2"

    The object 'CN=BES Admin EWS,CN=Role Assignments,CN=RBAC,CN=companymail,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local' already exists.

    Because "BES Admin EWS" already exist.
    Please advice how to add second user (Beasadmin2) to "BES Admin EWS"
    Thank you
    Saturday, September 17, 2011 2:33 PM

Answers

  • Something like:

    New-ManagementRoleAssignment -Name "BES Admin EWS2" -Role ApplicationImpersonation -User "BESAdmin2"

    Or you could create a security group that contains bith accounts and assign the role that way.

    Role Assignment Names are unique.

    • Marked as answer by MarioTunes Monday, September 19, 2011 1:40 PM
    Saturday, September 17, 2011 2:50 PM
  • If you want a single security group, then create the group in AD, add the BES accounts to the security and create the assignment:

    New-ManagementRoleAssignment -Name "BES Impersonation" -Role ApplicationImpersonation -SecurityGroup "BES Impersonation Group"

    http://technet.microsoft.com/en-us/library/dd335193.aspx

     

    To Remove the current role assignment from BES Admin EWS:

    http://technet.microsoft.com/en-us/library/dd351205.aspx

    Remove-ManagementRoleAssignment
    • Marked as answer by MarioTunes Monday, September 19, 2011 1:39 PM
    Sunday, September 18, 2011 11:40 AM

All replies

  • Something like:

    New-ManagementRoleAssignment -Name "BES Admin EWS2" -Role ApplicationImpersonation -User "BESAdmin2"

    Or you could create a security group that contains bith accounts and assign the role that way.

    Role Assignment Names are unique.

    • Marked as answer by MarioTunes Monday, September 19, 2011 1:40 PM
    Saturday, September 17, 2011 2:50 PM
  • Hello AndyD,

     

    I am already have "BES Admin EWS" -Role ApplicationImpersonation -User "BESAdmin1" it was done before.

     

    Would you recommend:

    1) Create new "BES Admin EWS2"

    2) Remove user Besadmin1 from "BES Admin EWS", create new security group and add bouth users Besadmin1 and Besadmin2 to new security group and add group to the "BES Admin EWS"?

    If you recommend 2, could you please give me step by step instruction.

     

    Thank you

    Sunday, September 18, 2011 1:54 AM
  • If you want a single security group, then create the group in AD, add the BES accounts to the security and create the assignment:

    New-ManagementRoleAssignment -Name "BES Impersonation" -Role ApplicationImpersonation -SecurityGroup "BES Impersonation Group"

    http://technet.microsoft.com/en-us/library/dd335193.aspx

     

    To Remove the current role assignment from BES Admin EWS:

    http://technet.microsoft.com/en-us/library/dd351205.aspx

    Remove-ManagementRoleAssignment
    • Marked as answer by MarioTunes Monday, September 19, 2011 1:39 PM
    Sunday, September 18, 2011 11:40 AM
  • Thank you for your answer.

    What type of Security group I should create Global or Universal ?

     


    I have created Universal
    • Edited by MarioTunes Monday, September 19, 2011 1:46 PM
    Monday, September 19, 2011 1:39 PM
  • Hi MarioTunes,

    You can create a new Role Group.

    Create a Role Group
    Understanding Management Role Groups
    Frank Wang
    Tuesday, September 20, 2011 9:27 AM