locked
RBAC - How to restrict User to create users in specific DB? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    I know haow to scope an Admin to a specific OU. But when the admin creates a new mailbox he can choose to create the mailbox on every DB in the Org. How can I restrict the admin so he can only create mailboxes in a specific DB?
    Wednesday, April 13, 2011 3:25 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    This may give you some idea :

    http://www.exchangeinbox.com/article.aspx?i=159

     

    Anil
    Wednesday, April 13, 2011 5:24 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    For example
    New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
    New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" -SecurityGroup "Explorers" –CustomConfigWriteScope “Databases_ManagmentScope”
    Adam Bokiniec
    • Proposed as answer by Adam.Bokiniec Thursday, April 14, 2011 11:43 AM
    Thursday, April 14, 2011 11:43 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    As for additional information, you can refer to the following article:

     

    http://technet.microsoft.com/en-us/library/dd351083.aspx

     

    Thanks.

    Novak Wu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, April 15, 2011 6:33 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Adam has provided correct cmdlet to achive this, Only you can use -members swicth in last.. I test this.

    New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
    New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" –CustomConfigWriteScope “Databases_ManagmentScope” -members "UserName"

     

    Anil
    Friday, April 15, 2011 7:23 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    HI Eniac,

    I hope above cmdlet worked for you, DO you have any updates.

    Anil
    Sunday, April 24, 2011 4:12 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    How is thing going on? If there is any problem, please feel free to post it here.

     

    Thanks.

    Novak Wu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, April 25, 2011 8:15 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Adam has provided correct cmdlet to achive this, Only you can use -members swicth in last.. I test this.

    New-ManagementScope -Name "Databases_ManagmentScope" -DatabaseRestrictionFilter {Name -Like "Database01,Database02"}
    New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipients" –CustomConfigWriteScope “Databases_ManagmentScope” -members "UserName"

     

    Anil

    Hi Anil,

    "-members" parameter is used with "Add-RoleGroupMember"
    http://technet.microsoft.com/en-us/library/dd638207.aspx 

    "-SecurityGroup" and "User" parameters is used with "New-ManagementRoleAssignment"
    http://technet.microsoft.com/en-us/library/dd335193.aspx     


    Adam Bokiniec
    Monday, April 25, 2011 10:56 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi, when I use a new user without any other role and group memberships I get the error that the cmdlet New-Mailbox is not recognized (so it seems that the user need more rights). Where can I see which rights are necessary?
    Tuesday, April 26, 2011 2:33 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Eniac,

    Does AD account is already created for user, you should have AD account already then creaste mailbox.

    Anil
    Wednesday, April 27, 2011 3:10 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    The user can create new user but I think the right to crete new mailboxes is missing. Should I add the user ro the Management Recepient role on the Exchange or can the user than crete mbx on all DBs?
    Thursday, April 28, 2011 8:43 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Eniac,

    Use the same database scope but also add the "Mail Recipient Creation" Management Role, that will give you ability to use "New-Mailbox"

    New-ManagementRoleAssignment -Name "Database_RoleAssignment" -Role "Mail Recipient Creation" –CustomConfigWriteScope “Databases_ManagmentScope” -SecurityGroup  "Admin_Group_Name"

    You can also type "Get-ManagementRoleEntry "Mail Recipient Creation\*" | ft -Autosize -Wrap" to see all cmdlets included in the Mail Recipient Creation Management Role.

    Good luck! 

    Thursday, April 28, 2011 8:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi, this seems to be working but I have this issue. The user is domain admin in his own domain an he can't delete user in the forest (this is ok) but when the user uses the EMC he can completely remove user on other domains! Why he can do this?
    Thursday, May 5, 2011 9:10 AM