FIM ScriptBox Item

Summary

This script shows how to delegate minimum permissions for Exchange to create mailboxes.

Script Code

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
# this script must be run from an Exchange 2010 PS session
[String]$aDMAAccountName = "svcfimadma"; 
# create a new management role based on the existing Recipient Administrators role
New-ManagementRole `
-Name UpdateRecipientAccess `
-Parent "Mail Recipients"; 
# Remove all cmdlets from this role except Update-Recipient
Get-ManagementRoleEntry `
-Identity UpdateRecipientAccess\* | ? { 
$_.Name -ne 'Update-Recipient' 
} | Remove-ManagementRoleEntry –Confirm:$false; 
# Create a new role group (AD DS SG) and add the AD MA account as the only member.
New-RoleGroup `
-Name "Update-Recipient-Access" `
-Roles UpdateRecipientAccess `
-DisplayName "Recipient Update Service Invocation" `
-Description "Members of this role group can use the Update-Recipient cmdlet to invoke the Recipient Update Service (RUS)" `
-Members $aDMAAccountName;

 

note Note
To provide feedback about this script, create a post on the FIM TechNet Forum.
For more FIM related Windows PowerShell scripts, see the FIM ScriptBox.

 



See Also