Finding Current Split Permission


  • Hi !

    if i walk into an exchange organization with enough rights, how can i quickly find is that based on shared permission, AD Split permissions or RBAC split permissions ?

    maybe some method is digging into users groups and roles (which may have been manipulated and changed or maybe test some cmdlets and ...

    anyway is there any quick way like viewing an option or run a command to find that ?


    9. června 2012 7:49


Všechny reakce

  • Hi,

    there is no way to determine if Exchange is installed using split permissions or not.

    The best way will be to dig into RBAC and check the roles and the permissions which are delegated to these roles.

    Split permissions meens that Exchange is installed and basically configured to seperate the administration of Active Directory userer accounts from the administering mailboxes for that users. But is is implemented by Role Based Access Control (RBAC). You will find further information about RBAC and how to configure Roles and permissions

    regards Thomas Paetzold visit my blog on:

    9. června 2012 8:16
  • thanks

    i knew that

    i am using split model but i liked to know it is AD split permissions or RBAC

    anyway i changed it to RBAC (so it seems to have been AD)

    but again i can not create a mailbox

    as the link says in AD split model the user should be created in AD and then enable mailbox

    but now i am in RBAC and the user with that i logged on (administrator) is member of exchange organization and mail recipients but again "new-mailbox" cmdlet is not available !

    9. června 2012 8:47
  • i certainly read those but did not find my answer

    as u see it says :

    With Active Directory split permissions, the creation of security principals in the Active Directory domain partition, such as mailboxes and distribution groups, must be performed using Active Directory management tools

    so i moved to RBAC in order to be able to create a user and his mailbox in EMC with administrator user which is member of organization management (not to first go to ADUC and create user and then enable it in EMC)

    but again i am not able !

    is there anything wrong or i am misunderstood and this situation can only be achieved in shared permission model ?

    9. června 2012 9:49
  • I think you made a mistake

    this is the link to this post itself :D

    9. června 2012 10:38
  • sorry but not worked again ! i tried this time on my mailbox server

    and i think it was predicatable

    when i can not create it in my hub/cas server  so i can not do that in any other exchange server including mailbox

    again the same error

    Summary: 1 item(s). 0 succeeded, 1 failed.
    Elapsed time: 00:00:00


    The term 'New-Mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    Exchange Management Shell command attempted:
    New-Mailbox -Name 'Test' -Alias 'Test' -UserPrincipalName '' -SamAccountName 'Test' -FirstName 'Test' -Initials '' -LastName '' -Password 'System.Security.SecureString' -ResetPasswordOnNextLogon $false

    Elapsed Time: 00:00:00

    maybe i am misunderstanding RBAC Split mode

    it seems that in none of AD Split mode or RBAC split mode we can use new-mailbox command and the user should be first created in AD

    if this is true , it is bad

    9. června 2012 11:46

    Following information is available in above article

    I think you were selected to use the split model permission when you installed Exchange 2010 (it was a check box during installation).

    You need to follow the instructions for "Switch from RBAC split permissions to shared permissions "

    Try below article  Configure Exchange 2010 for Shared Permissions

    you would need to create accounts in ADUC first and then use the command enable-mailbox to give an account a mailbox.


    9. června 2012 12:59
  • Ok

    I did that

    i changed to shared permission and now i have new-mailbox command and it is ok

    but what i wanted to test and implement was RBAC. i do not want AD admins and delegated users to do anything in exchange

    as a matter of fact in our organization exchange admins are the main person. they should be able to create users and mailboxes

    but ad admins should just create users and do some domain partition changes like user creation, groupings and ...

    shouldn't i use RBAC for that ?

    or maybe i should use RBAC but do some modifications in groups (both in AD and exchange role groups ) ??

    9. června 2012 13:04
  • Hi,

    yes you should use RBAC (or perhaps check the default configuration of RBAC) because this technology is the only one that grants permissions to users in order to administer mailboxes.

    regards Thomas Paetzold visit my blog on:

    11. června 2012 15:57