Creating an RBAC group with access to Grant mailbox access ONLY
Here in the below scenario, we need to restrict the helpdesk to only have permission to grant mailbox access to other users.
Steps to be followed:
Create a new management role “Mailbox delegation Permission”. We have used “Mail recipients” as parent group for the creation of this management role.
New-ManagementRole -Name “Mailbox delegation Permission” -Parent “Mail Recipients”
Now we need to remove all the command from the newly created role & keep only mailbox permission assignment entry. Below command will remove the all the role entries from newly created management role group and left only with Add-Mailbox permission.
Get-ManagementRoleEntry “Mailbox delegation Permission \*” | Where {$_.name -ne “Add-MailboxPermission”} | Remove-ManagementRoleEntry
Add-Mailbox permission Role entry is enough to grant mailbox access through EMS but to grant the access through Exchange Management Console we need to add few more role entries with this role as follows.
Add-ManagementRoleEntry “Mailbox delegation Permission\Get-MailboxPermission”
Add-ManagementRoleEntry “Mailbox delegation Permission\Get-Mailbox”
Add-ManagementRoleEntry “Mailbox delegation Permission\Get-Recepient”
Add-ManagementRoleEntry “Mailbox delegation Permission\Set-Mailbox”
Add-ManagementRoleEntry “Mailbox delegation Permission\Get-SecurityPrincipal”
Add-ManagementRoleEntry “Mailbox delegation Permission\Remove-MailboxPermission”
Now we need to create a new Role group. So that we can add required helpdesk administrator to this role group.
New-RoleGroup “Mailbox delegation Permission” -Roles “Mailbox delegation Permission”
In orders to grant Send As access for a mailbox to users, we need to add additional role “Active Directory Permissions” to this role group.
New-ManagementRoleAssignment –Role “Active Directory Permissions” –SecurityGroup “Mailbox delegation Permission”
Now we will add helpdesk members to newly created role group. So that they should be able to assign the mailbox permission. Use below command to achieve same.
Add-RoleGroupMember “Mailbox delegation Permission” –Member HelpdeskUser1
As a final step we can do testing by asking helpdesk engineer test3 as mentioned ion above command. Test can run try running below command & try to assign full mailbox permission on user test2 user mailbox for user test1.
Add-MailboxPermission “test2″ -User “test1″ -AccessRights FullAccess
To view the list of members in a group, we can use the below cmdlet
Get-RoleGroupMember -Identity “Mailbox delegation Permission”
Ratish Nair
Microsoft MVP | Exchange Server
Team @MSExchangeGuru.com
September 20th, 2013 at 12:47 am
[…] Creating an RBAC group with access to Grant mailbox access ONLY […]
August 19th, 2014 at 2:37 pm
Hey just wanted to say I have been looking for something like this for awhile. Your post solved a problem with defining access for our helpdesk that I have been trying to solve for week. Thank you very much for taking the time to make this post!
September 10th, 2014 at 8:48 am
Hello, I have taken the steps you discribed, the only problem I have is that I can not double click a recipient. I says You don’t have permissions to view this page.
Do you know the solution for this?
Thanks in advance. Marcel
September 10th, 2014 at 8:51 am
Are you a member of Organization management group?