Creating an RBAC group with access to Enable/Disable Active Sync and Wipe Mobile Device
Here in the below scenario, we need to restrict the helpdesk to only have permission to Enable and disable active sync for mailbox and wipe mobile device of users.
Steps to be followed:
Create a new management role “ActiveSync”. We have used “Organization Client Access” as parent role for the creation of this management role.
New-ManagementRole -Name “ActiveSync” -Parent “Organization Client Access”
Organization Client Access role will give access even to manage the client access array which is not preferable , So we need to remove the role entries other than Set-CASMailbox from the role “ActiveSync”
Get-ManagementRoleEntry “ActiveSync\*” | ? {$_.Name –ne “Set-CASMailbox”} | Remove-ManagementRoleEntry
Now we need to add few more role entries to make this role capable of creating and removing mailboxes through Exchange Management Console.
Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncDeviceAccessRule”
Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncDeviceClass”
Add-ManagementRoleEntry “ActiveSync\Get-ActiveSyncOrganizationSettings”
Add-ManagementRoleEntry “ActiveSync\Get-AuthRedirect”
Add-ManagementRoleEntry “ActiveSync\Get-CASMailbox”
Add-ManagementRoleEntry “ActiveSync\Get-ClientAccessArray”
Add-ManagementRoleEntry “ActiveSync\Get-OutlookProvider”
Add-ManagementRoleEntry “ActiveSync\Get-RpcClientAccess”
Add-ManagementRoleEntry “ActiveSync\Remove-ActiveSyncDeviceAccessRule”
Add-ManagementRoleEntry “ActiveSync\Set-ActiveSyncDeviceAccessRule”
Add-ManagementRoleEntry “ActiveSync\Set-CASMailbox”
Add-ManagementRoleEntry “ActiveSync\Write-AdminAuditLog”
Now we need to create a new Role group. So that we can add required helpdesk administrator to this role group.
New-RoleGroup “ActiveSync Enable Wipe” -Roles “ActiveSync”
Set-CASMailbox role entry in Organization Client Access role will not have the parameter to enable and disable the active sync . So that we need to create new role “MailboxManagement” with having “Mail Recipients” as its parent role.
New-ManagementRole -Name “MailboxManagement” -Parent “Mail Recipients”
Now we need to remove the unwanted roles entries from MailboxManagement and having only Set-CASMailbox
Get-ManagementRoleEntry “MailboxManagement\*” | where {$_.name -ne “Set-CASMailbox”} | Remove-ManagementRoleEntry
Now we need to add the required roles entries to MailboxManagement
Add-ManagementRoleEntry “MailboxManagement\Get-User”
Add-ManagementRoleEntry “MailboxManagement\Get-Mailbox”
Add-ManagementRoleEntry “MailboxManagement\Get-CASMailbox”
Add-ManagementRoleEntry “MailboxManagement\Get-Recipient”
Add-ManagementRoleEntry “MailboxManagement\Set-Mailbox”
Add-ManagementRoleEntry “MailboxManagement\Get-ActiveSyncDeviceStatistics”
Add-ManagementRoleEntry “MailboxManagement\Clear-ActiveSyncDevice”
Add-ManagementRoleEntry “MailboxManagement\Remove-ActiveSyncDevice”
Now we need to add the new management role MailboxManagement to “ActiveSync Enable Wipe” Role Group.
New-ManagementRoleAssignment –Role “MailboxManagement” –SecurityGroup “ActiveSync Enable Wipe”
Ratish Nair
Microsoft MVP | Exchange Server
Team @MSExchangeGuru.com
January 22nd, 2014 at 7:25 am
Thanks for posting, this worked as intended for our environment, but ..
Our RBAC group also wants to be able to set\edit the Exchange ActiveSync device policy for each mailbox though.
Using the above it automatically applies the default ActiveSync device policy and does not allow it to be changed (“Access Denied”)
Any help with the changes required to enable this (without enabling editing of other mailbox settings) ?
Thanks
Mark.
July 2nd, 2014 at 3:26 pm
When clicking save after pressing wipe, we get a access denied error.
September 26th, 2014 at 11:12 am
Any idea on why we get an Access denied error after pressing save?
November 5th, 2014 at 5:55 pm
Great post! Thanks. The one thing still enabled on my role that I wish to remove is mailtips- any idea how to remove that feature for this role?
December 1st, 2014 at 10:30 pm
@Lisa – Please check the steps here
http://technet.microsoft.com/en-us/library/dd638109(v=exchg.141).aspx
October 13th, 2015 at 5:39 pm
you might not have permissions to update it or you lost the connection to the Domain controller.
October 26th, 2017 at 12:12 pm
how do you create an rbac for exchange 2016 to enable / disable active sync?