Here are some handy RBAC cmdlets to help you build your own custom Role Groups, role assignments etc. When you design RBAC Groups , you need to pay attention to your name convention to make sure , Groups, role assignments etc. makes sense, each Role Group created will be located on Microsoft Exchange Security Groups on the root of the forest/Domain , adding members to these security groups also possible using active directors users snap in, so you need to have plan to secure these groups. it might be good idea to tick the box “protect object from accidental deletion” for these groups.
#List all Management Roles
Get-ManagementRole |
#List all role entries within given Management Role
Get-ManagementRoleEntry "View-Only Recipients\*" |
Note: as you have noticed, all these cmdlet's , user can run if the user is assigned to a Role Group = Assigned Role = ManagementRoleEntry
Here is simple snapshot to digest the relationship
#Create new Role from existing Parent Role
New-ManagementRole "HelpDesk Permissions" -Parent "View-Only Recipients" |
#Remove all Role Entries , except selected one
Get-ManagementRoleEntry “HelpDesk Permissions\*” | Where {$_.name -ne “Get-User”} | Remove-ManagementRoleEntry -Confirm:$False |
#Locate managementRole
Get-ManagementRoleEntry “HelpDesk Permissions\*” |
#Add additional CMDLET if needed to management Role
Add-ManagementRoleEntry “HelpDesk Permissions\Get-MailboxPermission” |
#Locate ManagementRole to verify desired cmdlet is assigned to it
Get-ManagementRoleEntry “HelpDesk Permissions\*” |
#Create New Role Group
New-RoleGroup "HelpDesk 1.5" |
#Add Role assignment to Role Group
New-ManagementRoleAssignment -SecurityGroup "HelpDesk 1.5" -Role "HelpDesk Permissions" |
#add member to Role Group
Add-RoleGroupMember “HelpDesk 1.5” –Member C-Ron.Buzon |
#locate members
Get-ManagementRoleEntry “HelpDesk Permissions\*” |
#remove Members from desired Role Group
Remove-RoleGroupMember “HelpDesk 1.5” –Member C-Ron.Buzon |
# Find desired user, List all the Roles
Get-ManagementRoleAssignment -GetEffectiveUsers | ?{$_.EffectiveUserName -eq “Administrator”} | select Role |
Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)
No comments:
Post a Comment