locked
Exchange 2010 delegate group management but exclude some groups RRS feed

  • Question

  • I am wondering if it is possible to delegate Exchange 2010 mail group management to my T1 help desk but also exclude them from the ability to manage a couple sensative groups?

    I would also like the ability to exclude the ability to add or remove some users if possible but I am guessing this is less likely.


    • Edited by C-M Saturday, September 29, 2012 4:43 PM
    Friday, September 28, 2012 8:36 PM

Answers

  • Ideally I would prefer not to do this simply because we put all of our groups in a specific structure that makes them easy to find and manage but if it is the only way then it might be what we end up doing.

    Hi C-M,

    If you don't want to destroy the group structure, you may filter the sensitive groups by another Filterable Property.

    For example, if you tag CustomAttribute1(Filterable Property, value: mvpDL) to the sensitive groups, you can create a Management Scope as following:

    New-ManagementScope -Name "NormalDL" -RecipientRestrictionFilter {RecipientType -eq "MailUniversalDistributionGroup" -and CustomAttribute1 -ne "mvpDL"}

    Then assign the Role and Scope to the T1 help desk.

    New-ManagementRoleAssignment -Role "Distribution Groups" -User " T1 help desk" -CustomRecipientWriteScope "NormalDL"

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Frank Wang

    TechNet Community Support

    • Marked as answer by emma.yoyo Monday, October 8, 2012 2:08 AM
    Monday, October 1, 2012 7:14 AM

All replies

  • I think the easiest thing to do would be to move those sensetive groups into their own OU, and limit the Role's scope to exclude that OU.

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Friday, September 28, 2012 9:19 PM
  • You figured out what I was asking although I originally put "delete" group.. bonus points :) Anyhow yes that was one thing I was considering but when I was looking at the RBAC docs for how the scope was defined it was not clear if I gave permissions on a specific OU if that included all the OU's under it or not. I was in the process of setting up a test of that on Friday but was not able to finish. Ideally I would prefer not to do this simply because we put all of our groups in a specific structure that makes them easy to find and manage but if it is the only way then it might be what we end up doing.

    Saturday, September 29, 2012 4:48 PM
  • Ideally I would prefer not to do this simply because we put all of our groups in a specific structure that makes them easy to find and manage but if it is the only way then it might be what we end up doing.

    Hi C-M,

    If you don't want to destroy the group structure, you may filter the sensitive groups by another Filterable Property.

    For example, if you tag CustomAttribute1(Filterable Property, value: mvpDL) to the sensitive groups, you can create a Management Scope as following:

    New-ManagementScope -Name "NormalDL" -RecipientRestrictionFilter {RecipientType -eq "MailUniversalDistributionGroup" -and CustomAttribute1 -ne "mvpDL"}

    Then assign the Role and Scope to the T1 help desk.

    New-ManagementRoleAssignment -Role "Distribution Groups" -User " T1 help desk" -CustomRecipientWriteScope "NormalDL"

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Frank Wang

    TechNet Community Support

    • Marked as answer by emma.yoyo Monday, October 8, 2012 2:08 AM
    Monday, October 1, 2012 7:14 AM
  • Hi C-M,

    Any updates?


    Frank Wang

    TechNet Community Support

    Wednesday, October 3, 2012 1:40 AM