Windows 7 / Getting Started

---

Configuring Exchange Server 2010 for Split Permissions

To implement a split permissions model, the Mail Recipient Creation and Security Group Creation and Membership roles must be assigned to a newly created role group. This role group contains users who are AD admins. Then, the assignments between those roles and any role group or universal security group (USG) that contains Exchange Server admins must be removed.

To perform this task using the Exchange Management Shell, perform the following steps: (The Exchange Management Shell commands are in italics.)

1. Create a new role group for the AD admins and create regular role assignments between the new role group and the Mail Recipient Creation and Security Group Creation and Membership roles.
   New-RoleGroup "Active Directory Administrators" -Roles "Mail Recipient Creation", "Security Group Creation and Membership"
2. Create a delegating role assignment between the new role group and the Mail Recipient Creation role.
   New-ManagementRoleAssignment "Mail Recipient Creation_AD Administrators_Delegating" -Role "Mail Recipient Creation" -SecurityGroup "Active Directory Administrators" -Delegating
3. Create a delegating role assignment between the new role group and the Security Group Creation and Membership role.
   New-ManagementRoleAssignment "Security Group Creation and Membership_Org Mgmt_Delegating" -Role "Mail Recipient Creation" -SecurityGroup "Active Directory Administrators" -Delegating
4. Add the Active Directory admins to the new role group.
   Add-RoleGroupMember "Active Directory Administrators" -Member <user to add>
5. Replace the delegate list on the new role group so that only members of the role group can add or remove members:
   Set-RoleGroup "Active Directory Administrators" -ManagedBy "Active Directory Administrators"

   Note: Individuals who are members of the Organization Management role group, or those assigned the Role Management role either directly or indirectly, can bypass this security check. To prevent Exchange Server administrators from adding themselves to the new role group, the role assignment between the Role Management role and any Exchange Server administrator must be removed and assigned to another group.

6. Find all the regular and delegating role assignments to the Mail Recipient Creation role.
   Get-ManagementRoleAssignment -Role "Mail Recipient Creation"
7. Remove all the regular and delegating role assignments to the Mail Recipient Creation that aren't associated with the new role group or any other role groups, USGs, or direct assignments that will remain.
   Remove-ManagementRoleAssignment <Mail Recipient Creation role assignment to remove>
8. Find all of the regular and delegating role assignments to the Security Group Creation and Management role.
   Get-ManagementRoleAssignment -Role "Security Group Creation and Membership"
9. Remove all the regular and delegating role assignments to the Security Group Creation and Management that aren't associated with the new role group or any other role groups, USGs, or direct assignments you want to keep.
   Remove-ManagementRoleAssignment <Security Group Creation and Membership role assignment to remove>

Benefits of RBAC

One of the goals that Microsoft worked toward with the design and creation of Exchange Server 2010 is the capability to decrease support costs. Early in the process, it realized that one way to significantly reduce the administrative overhead in an environment was to empower users to perform specific tasks for themselves, rather than go through the timeconsuming and resource-intensive process of requesting assistance to complete relatively minor changes.

Granting users the administrative rights to perform certain low-level tasks, while still preventing them from accessing (and potentially damaging) configuration settings that could impact the entire organization was extremely difficult, if not impossible, using the ACL-based model of previous Exchange Server versions.

Now with RBAC, employees can be given permission to track the status of messages that they have sent, create and manage their own distribution lists, and update certain aspects of their account information.

RBAC focuses on the effective and efficient distribution of administrative permissions. In previous versions of Exchange Server, granting help desk personnel (for example) the ability to create new mailboxes in one site gave them (by default) the ability to create new mailboxes anywhere in the environment. Locking down these permissions to one specific site was time-consuming and complicated-and there are many different scenarios that had to be identified, evaluated, and resolved before administrators could be sure they had matched the appropriate personnel with the appropriate access.

Another example of the benefits of RBAC is in the area of eDiscovery-granting permissions to a group of users (such as members of the HR department) to view the contents of a particular set of mailboxes (such as those located in the Marketing OU).

Using RBAC, administrators can grant the necessary access to allow the members of the HR department to review the mailboxes of the Marketing users but not those in sales (located in another OU).

These permissions can easily be delegated using RBAC for the duration of the discovery period and then removed until needed again.

Note:
When creating a new OU in a Windows 2008 Active Directory environment, you might notice a new and welcome feature; when naming the OU, the option to Protect Container from Accidental Deletion is present and automatically selected. This places an explicit Deny permission on the object for the group "everyone," preventing accidental deletion of the object. To remove this (for intentional deletion), go to Active Directory Users and Computers, select View \ Advanced Features; then view the properties of the OU. Under the Object tab, you can see the Protect Object from Accidental Deletion check box and de-select it.