locked
Help with RBAC & full access permissions RRS feed

  • Question

  • I have set up a custom Role Group called Help Desk Test. The access required for it includes the Assigned Role of "Mail Recipients" however with this Role, it includes the ability to allow Full Mailbox access & Send as permissions.

    What we require is all the permissions associated with the "Mail Recipients" role but not allow the Help Desk to be able to set Full Mailbox or Send As permissions.

    Just wondering what the cmdlet to remove these would be. I think they may be in the extended rights or AD permissions however I am not sure of the exact cmdlets are for them.

    I have been trying to figure this our for ages now so any help would be greatly appreciated.

    Thankyou

    Friday, April 15, 2011 5:01 AM

Answers

  • Hi DLIAG,

    "Active Directory Permissions" ManagementRole give permission to "Add-ADPermission" and ""Remove-ADPermission" which is permissions to give users "Send-As"

    As previously to get rid of a singel "ManagementRoleEntry" do the following:

     

    New-ManagementRole -Parent "Active Directory Permissions" -Name "Custom Active Directory Permissions"

    Remove-ManagementRoleEntry "Custom Active Directory Permissions\Add-ADPermission"

    Remove-ManagementRoleEntry "Custom Active Directory Permissions\Remove-ADPermission"

     


    Adam Bokiniec
    • Proposed as answer by Adam.Bokiniec Monday, April 18, 2011 9:09 AM
    • Marked as answer by Jerome Xiong Sunday, April 24, 2011 6:57 AM
    Monday, April 18, 2011 9:08 AM
  • Hi DLIAG,

    The ManagementRole "Mail recipients" does not give user permission to set "Send As". But it gives permission to manage "Full Mailbox Permission. To remove that do the following:

    "Active Directory Permissions" ManagementRole gives "Send As" permission.

     

    New-ManagementRole -Parent "Mail Recipients" -Name "Custom Mail Recipients"

    Remove-ManagementRoleEntry "Custom Mail Recipients\Add-MailboxPermission"

    Remove-ManagementRoleEntry "Custom Mail Recipients\Add-MailboxFolderPermission"

    Remove-ManagementRoleEntry "Custom Mail Recipients\Remove-MailboxPermission"

    Remove-ManagementRoleEntry "Custom Mail Recipients\Remove-MailboxFolderPermission"

     

     


    Adam Bokiniec
    • Proposed as answer by Adam.Bokiniec Friday, April 15, 2011 7:32 AM
    • Marked as answer by Jerome Xiong Sunday, April 24, 2011 6:57 AM
    Friday, April 15, 2011 7:32 AM

All replies

  • Hi DLIAG,

    The ManagementRole "Mail recipients" does not give user permission to set "Send As". But it gives permission to manage "Full Mailbox Permission. To remove that do the following:

    "Active Directory Permissions" ManagementRole gives "Send As" permission.

     

    New-ManagementRole -Parent "Mail Recipients" -Name "Custom Mail Recipients"

    Remove-ManagementRoleEntry "Custom Mail Recipients\Add-MailboxPermission"

    Remove-ManagementRoleEntry "Custom Mail Recipients\Add-MailboxFolderPermission"

    Remove-ManagementRoleEntry "Custom Mail Recipients\Remove-MailboxPermission"

    Remove-ManagementRoleEntry "Custom Mail Recipients\Remove-MailboxFolderPermission"

     

     


    Adam Bokiniec
    • Proposed as answer by Adam.Bokiniec Friday, April 15, 2011 7:32 AM
    • Marked as answer by Jerome Xiong Sunday, April 24, 2011 6:57 AM
    Friday, April 15, 2011 7:32 AM
  • Thankyou Adam, tried this out & it worked beautifully.

    So which ManagementRole gives the set "Send As" permission. I guess once I find that out I could do the same as above to remove it also?

    Just one more question, do you know how these permissions could be removed in Exchange 2007?

    Donna

     

    Sunday, April 17, 2011 11:55 PM
  • So which ManagementRole gives the set "Send As" permission.

     

    As I  known there is no role group only have “Send AS” permission.

    If you  want to grant or remove "Send As" permission, You could do it via this article.

    http://technet.microsoft.com/en-us/library/bb676368.aspx

     

    Understanding Management Roles

     

    RBAC is  the new permissions model in Microsoft Exchange Server 2010.

    With RBAC, you don't need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007.

    Understanding Exchange Access Control and Administrative Delegation

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, April 18, 2011 8:39 AM
  • Hi DLIAG,

    "Active Directory Permissions" ManagementRole give permission to "Add-ADPermission" and ""Remove-ADPermission" which is permissions to give users "Send-As"

    As previously to get rid of a singel "ManagementRoleEntry" do the following:

     

    New-ManagementRole -Parent "Active Directory Permissions" -Name "Custom Active Directory Permissions"

    Remove-ManagementRoleEntry "Custom Active Directory Permissions\Add-ADPermission"

    Remove-ManagementRoleEntry "Custom Active Directory Permissions\Remove-ADPermission"

     


    Adam Bokiniec
    • Proposed as answer by Adam.Bokiniec Monday, April 18, 2011 9:09 AM
    • Marked as answer by Jerome Xiong Sunday, April 24, 2011 6:57 AM
    Monday, April 18, 2011 9:08 AM