Sunday, March 30, 2014

Exchange Server 2013 Role Based Access Control – Mailbox Migration



There are 85 Management Roles and 11 default role group in Exchange Server 2013 SP1 which is listed the end of the article. To list the management roles and role group use the following commands respectively
  • Get-ManagementRole
  • Get-RoleGroup
There is a requirement where we need to provide access only for executing mailbox migration or mailbox movement for an engineer. The engineer should not have any other access. 

Tried to find the roles which hold PowerShell command (i.e New-MoveRequest. Found it is under the role Move Mailboxes, Migration. This will help you to search the PowerShell command where it is in the role.

After finding it out follow the below steps
  • Create new role group with adding the roles on it 
    • New-RoleGroup Ex2013Migration -Roles 'Move Mailboxes',Migration
  • Add the user to the role that you have created 
    • Add-RoleGroupMember ‘Ex2013Migration’ –Member User1
  • If you want to additional users to the role group. 
    • Update-RoleGroupMember ‘Ex2013Migration’ –Members User2,User3 –Confirm:$false
  • To verify the user list 
    • Get-RoleGroupMember Ex2013Migration
  • Verifying the Exchange 2013 RBAC in EAC


  

Attached the PDF file which holds the complete PowerShell command with respect to the role.  


Exchange 2013 RBAC Default Management Roles
  1. Organization Management
  2. Recipient Management
  3. View-Only Organization Management
  4. Public Folder Management
  5. UM Management
  6. Help Desk
  7. Records Management
  8. Discovery Management
  9. Server Management
  10. Delegated Setup
  11. Hygiene Management
Exchange 2013 RBAC Management Roles

Recipient Policies Move Mailboxes MyBaseOptions
Active Directory Permissions Organization Client Access MyContactInformation
Address Lists Organization Configuration MyProfileInformation
Audit Logs Organization Transport Settings MyRetentionPolicies
Cmdlet Extension Agents POP3 And IMAP4 Protocols MyTextMessaging
Database Availability Groups Public Folders MyVoiceMail
Database Copies Receive Connectors MyDiagnostics
Databases Remote and Accepted Domains MyDistributionGroupMembership
Disaster Recovery Retention Management MyDistributionGroups
Distribution Groups Role Management MyTeamMailboxes
E-Mail Address Policies Security Group Creation and Membership Org Custom Apps
Edge Subscriptions Send Connectors Org Marketplace Apps
Exchange Connectors Support Diagnostics Team Mailboxes
Exchange Server Certificates Transport Agents UnScoped Role Management
Exchange Servers Transport Hygiene View-Only Audit Logs
Exchange Virtual Directories Transport Queues WorkloadManagement
Federated Sharing Transport Rules ArchiveApplication
Information Rights Management UM Mailboxes LegalHoldApplication
Journaling UM Prompts MailboxSearchApplication
Legal Hold Unified Messaging OfficeExtensionApplication
Mail Enabled Public Folders User Options TeamMailboxLifecycleApplication
Mail Recipient Creation View-Only Configuration UserApplication
Mail Recipients View-Only Recipients MyAddressInformation
Mail Tips ApplicationImpersonation MyDisplayName
Mailbox Search Data Loss Prevention MyMobileInformation
Message Tracking Mailbox Import Export MyName
Migration My Custom Apps MyPersonalInformation
Monitoring My Marketplace Apps ExchangeCrossServiceIntegration


Reset Password



Thursday, March 27, 2014

Connecting Exchange 2013 Using Windows Powershell



Connecting Exchange 2013 Powershell Locally using Windows Powershell

Open the Windows Powershell and load the snaps-in

Add-PSSSnapin Microsoft.ex*

Connecting Exchange 2013 Powershell remotely using Windows Powershell

Get-ExecutionPolicy
Set-ExecutionPolicy Unrestricted
$Credentials = Get-Credential
$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri `http://ex2013.lab.com/powershell/?SerializationLevel=Full' -Credential $Credentials -Authentication Kerberos
Import-PSSession $ExSession

Exchange Server 2013 - Full Access Mailbox Permission Vs Send AS Permissions



Exchange Server 2013 - Full Access Mailbox Permission Vs Send AS Permissions
When USERA who want to have full access permission of another user mailbox USERB (i.e will allow only to open the other user mailbox and view the folders and emails) which can be achieved using the Exchange 2013 PowerShell cmdlet Add-MailboxPermission. 

Although USERA have full acccess permission on USERB mailbox, USERA will not able to send email as USERB. In order to achieve it we need to user Add-ADPermission with Send-As Permission.

Earlier when user have full access they can able to send email as another user.This change was brought in place after the Exchange 2003 SP2 hotfix release. 

To provide Send on Behalf of permission use Set-Mailbox cmdlet

E.g Adding: Set-Mailbox -Identity Raji -GrantSendOnBehalfto Mark

      Removing: Set-Mailbox -Identity Raji -GrantSendOnBehalfto @{Remove="mark@mail.com"}
Note:

  • Send As Permission                        ------------ Add-Adpermission,
  • Full Access Mailbox Permission  ------------  Add-MailboxPermission. 
  • SendOnBehalf                                   ------------ Set-Mailbox


Ø  Outlook uses the external namespace to connect to alternate mailboxes, even though Outlook is located on the internal network in Exchange Server 2013”. Reference: http://support.microsoft.com/kb/2839517

Adding Mailbox Permission with AutoMapping

Add-MailboxPermission -Identity Mark -User 'Raji' -AccessRights FullAccess -InheritanceType All -AutoMapping $True


 Verifying Mailbox Permission

Get-MailboxPermission -Identity Mark | Format-List


To find specific user access of Mailbox Permission

Get-MailboxPermission -Identity Mark  -User "Rajis" | Format-List

To find owner of the mailbox

Get-MailboxPermission -Identity Mark –Owner


To remove Mailbox Permission

Remove-MailboxPermission -Identity Mark -User Rajis -AccessRights FullAccess -InheritanceType All
To provide Send-As Permission

Add-ADPermission -Identity "Mark" -User RajiS  -AccessRights ExtendedRight -ExtendedRights "Send As"
To check extended permission 

Get-ADPermission Mark -User Rajis | ft identity, user, extendedrights, accessrights

To remove AD Permission

Remove-ADPermission -Identity Mark  -User RajiS  -ExtendedRights "Send As"

The blog is written to the share the knowledge mainly on Microsoft Exchange Server and other Microsoft product that experienced on day-to-day life.