locked
RBAC - How to restrict User to create users in specific DB? RRS feed

  • Question

  • I know haow to scope an Admin to a specific OU. But when the admin creates a new mailbox he can choose to create the mailbox on every DB in the Org. How can I restrict the admin so he can only create mailboxes in a specific DB?
    Wednesday, April 13, 2011 3:25 PM

All replies

  • This may give you some idea :

    http://www.exchangeinbox.com/article.aspx?i=159

     


    Anil
    Wednesday, April 13, 2011 5:24 PM
  • For example
    New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
    New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" -SecurityGroup "Explorers" –CustomConfigWriteScope “Databases_ManagmentScope”

    Adam Bokiniec
    • Proposed as answer by Adam.Bokiniec Thursday, April 14, 2011 11:43 AM
    Thursday, April 14, 2011 11:43 AM
  • As for additional information, you can refer to the following article:

     

    http://technet.microsoft.com/en-us/library/dd351083.aspx

     

    Thanks.

    Novak Wu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, April 15, 2011 6:33 AM
  • Adam has provided correct cmdlet to achive this, Only you can use -members swicth in last.. I test this.

    New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
    New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" –CustomConfigWriteScope “Databases_ManagmentScope” -members "UserName"

     


    Anil
    Friday, April 15, 2011 7:23 AM
  • HI Eniac,

    I hope above cmdlet worked for you, DO you have any updates.


    Anil
    Sunday, April 24, 2011 4:12 AM
  • How is thing going on? If there is any problem, please feel free to post it here.

     

    Thanks.

    Novak Wu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, April 25, 2011 8:15 AM
  • Adam has provided correct cmdlet to achive this, Only you can use -members swicth in last.. I test this.

    New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
    New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" –CustomConfigWriteScope “Databases_ManagmentScope” -members "UserName"

     


    Anil

    Hi Anil,

    "-members" parameter is used with "Add-RoleGroupMember"
    http://technet.microsoft.com/en-us/library/dd638207.aspx 

    "-SecurityGroup" and "User" parameters is used with "New-ManagementRoleAssignment"
    http://technet.microsoft.com/en-us/library/dd335193.aspx
     



    Adam Bokiniec
    Monday, April 25, 2011 10:56 AM
  • Hi, when I use a new user without any other role and group memberships I get the error that the cmdlet New-Mailbox is not recognized (so it seems that the user need more rights). Where can I see which rights are necessary?
    Tuesday, April 26, 2011 2:33 PM
  • Eniac,

    Does AD account is already created for user, you should have AD account already then creaste mailbox.


    Anil
    Wednesday, April 27, 2011 3:10 AM
  • The user can create new user but I think the right to crete new mailboxes is missing. Should I add the user ro the Management Recepient role on the Exchange or can the user than crete mbx on all DBs?
    Thursday, April 28, 2011 8:43 PM
  • Hi Eniac,

    Use the same database scope but also add the "Mail Recipient Creation" Management Role, that will give you ability to use "New-Mailbox"

    New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipient Creation" –CustomConfigWriteScope “Databases_ManagmentScope” -SecurityGroup  "Admin_Group_Name"

    You can also type "Get-ManagementRoleEntry "Mail Recipient Creation\*" | ft -Autosize -Wrap" to see all cmdlets included in the Mail Recipient Creation Management Role.

    Good luck! 

    Thursday, April 28, 2011 8:50 PM
  • Hi, this seems to be working but I have this issue. The user is domain admin in his own domain an he can't delete user in the forest (this is ok) but when the user uses the EMC he can completely remove user on other domains! Why he can do this?
    Thursday, May 5, 2011 9:10 AM