MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Creating an RBAC group with access to Enable/Disable Active Sync and Wipe Mobile Device

Here in the below scenario, we need to restrict the helpdesk to only have permission to Enable and disable active sync for mailbox and wipe mobile device of users.

Steps to be followed:

Create a new management role “ActiveSync”. We have used “Organization Client Access” as parent role for the creation of this management role.

New-ManagementRole -Name “ActiveSync” -Parent “Organization Client Access”

Organization Client Access role will give access even to manage the client access array which is not preferable , So we need to remove the role entries other than Set-CASMailbox from the role “ActiveSync”

Get-ManagementRoleEntry “ActiveSync\*” | ? {$_.Name –ne “Set-CASMailbox”} | Remove-ManagementRoleEntry

Now we need to add few more role entries to make this role capable of creating and removing mailboxes through Exchange Management Console.

Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncDeviceAccessRule”

Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncDeviceClass”

Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncOrganizationSettings”

Add-ManagementRoleEntry “ActiveSync\Get-AuthRedirect”

Add-ManagementRoleEntry “ActiveSync\Get-CASMailbox”

Add-ManagementRoleEntry “ActiveSync\Get-ClientAccessArray”

Add-ManagementRoleEntry “ActiveSync\Get-OutlookProvider”

Add-ManagementRoleEntry “ActiveSync\Get-RpcClientAccess”

Add-ManagementRoleEntry “ActiveSync\Remove-ActiveSyncDeviceAccessRule”

Add-ManagementRoleEntry “ActiveSync\Set-ActiveSyncDeviceAccessRule”

Add-ManagementRoleEntry “ActiveSync\Set-CASMailbox”

Add-ManagementRoleEntry “ActiveSync\Write-AdminAuditLog”

Now we need to create a new Role group. So that we can add required helpdesk administrator to this role group.

New-RoleGroup “ActiveSync Enable Wipe” -Roles “ActiveSync”

Set-CASMailbox role entry in Organization Client Access role will not have the parameter to enable and disable the active sync . So that we need to create new role “MailboxManagement” with having “Mail Recipients” as its parent role.

New-ManagementRole -Name “MailboxManagement” -Parent “Mail Recipients”

Now we need to remove the unwanted roles entries from MailboxManagement and having only Set-CASMailbox

Get-ManagementRoleEntry “MailboxManagement\*” | where {$_.name -ne “Set-CASMailbox”} | Remove-ManagementRoleEntry

Now we need to add the required roles entries to MailboxManagement

Add-ManagementRoleEntry “MailboxManagement\Get-User”

Add-ManagementRoleEntry “MailboxManagement\Get-Mailbox”

Add-ManagementRoleEntry “MailboxManagement\Get-CASMailbox”

Add-ManagementRoleEntry “MailboxManagement\Get-Recipient”

Add-ManagementRoleEntry “MailboxManagement\Set-Mailbox”

Add-ManagementRoleEntry “MailboxManagement\Get-ActiveSyncDeviceStatistics”

Add-ManagementRoleEntry “MailboxManagement\Clear-ActiveSyncDevice”

Add-ManagementRoleEntry “MailboxManagement\Remove-ActiveSyncDevice”

Now we need to add the new management role MailboxManagement to “ActiveSync Enable Wipe” Role Group.

New-ManagementRoleAssignment –Role “MailboxManagement” –SecurityGroup “ActiveSync Enable Wipe”

Ratish Nair

Microsoft MVP | Exchange Server

Team @MSExchangeGuru.com

6 Responses to “Creating an RBAC group with access to Enable/Disable Active Sync and Wipe Mobile Device”

  1. Mark H Says:

    Thanks for posting, this worked as intended for our environment, but ..
    Our RBAC group also wants to be able to set\edit the Exchange ActiveSync device policy for each mailbox though.
    Using the above it automatically applies the default ActiveSync device policy and does not allow it to be changed (“Access Denied”)
    Any help with the changes required to enable this (without enabling editing of other mailbox settings) ?
    Thanks
    Mark.

  2. Joe Says:

    When clicking save after pressing wipe, we get a access denied error.

  3. Luis Padilla Says:

    Any idea on why we get an Access denied error after pressing save?

  4. Lisa R Says:

    Great post! Thanks. The one thing still enabled on my role that I wish to remove is mailtips- any idea how to remove that feature for this role?

  5. Prabhat Nigam Says:

    @Lisa – Please check the steps here
    http://technet.microsoft.com/en-us/library/dd638109(v=exchg.141).aspx

  6. Prabhat Nigam Says:

    you might not have permissions to update it or you lost the connection to the Domain controller.

Leave a Reply

ad

Categories

Archives