4

Creating RBAC Role To Delegate Contact Management

Update 21-11-2013: If you want the additional contact fields to be edited then please review this post.

I had an interesting question the other week about solving a business challenge a customer had with regards to delegating the creation of contact objects in Active Directory.  In their previous messaging system users were managing their own external distribution groups, adding and removing external people, and they wanted to do the same in Exchange 2010.

A default Exchange 2010 installation does not grant these capabilities by default, so we have to do a little configuration.  Role Based Access Control (RBAC) was introduced by Microsoft in Exchange 2010 and is used to control access to the messaging environment.

I thought that this would be worth sharing so that the solution is published and the logic of creating the custom RBAC role is discussed.

Building Blocks

We will need to permit:

  • Management of Distribution Groups in Active Directory
  • Creation and management of Mail Enabled Contacts in Active Directory
  • Management toolset to manage the above

Management of Distribution Groups

Exchange 2010 does not allow a user to manage groups that they own by default.  All of the necessary plumbing is present, you just have to enable the feature.  This is explained in detail here.  Couple of things to note:

  • Groups cannot manage groups in Exchange 2010, this feature has returned in Exchange 2013 CU1. There is a workaround for Exchange 2010
  • Make sure the mailboxes and the DGs are in the same GAL

As noted above to manage groups that they own, assign MyDistributionGroups to the appropriate Role Assignment Policy.  In the below example the Default Role Assignment Policy was changed to enable this.  Note that this will allow users to also create new Distribution Groups, so I’ll cover that in a separate blog.  Also you may not want to change the Default Role Assignment Policy in your environment.  You can have multiple Role Assignment Policies and different groups of mailboxes can have a Role Assignment Policy that maps to their business needs.

Exchange 2010 Default Role Assignment Policy Edited To Enable MyDistributionGroups

Well that’s the easy part done !

So let’s create a RBAC Role, and for the purposes of this test do a direct role assignment to one user account, though this can easily be a group and would be the recommended methodology.

Creation & Management of Mail Enabled Contacts in Active Directory

End users cannot create contacts in AD by default, but we can change the default RBAC to allow this.  The trick is to assign just the minimum permissions possible.  RBAC is aware of the permissions that have been assigned to a person, and will change the display to reflect the assigned permissions.  If you do not have access to do something, then you will not see that option.

Where to start?  We need to know which role contains the cmdlet that we want to leverage.  In this case we want the New-MailContact cmdlet, and to see in which roles it is present we can use Get-ManagementRole and the –Cmdlet parameter

Get-ManagementRole -Cmdlet New-MailContact

Exchange 2010 RBAC - Checking Which Role(s) Contain Necessary cmdlet

We can see that the Mail Recipient Creation contains the cmdlet that we need.  It also contains a bunch of other cmdlets that would grant too many capabilities.  A full listing is shown below for reference.

Get-ManagementRoleEntry –Identity “Mail Recipient Creation*”

Exchange 2010 RBAC - Management Role Entries Contained in Mail Recipient Creation Management Role

The built-in roles are read only and cannot be changed, so we cannot remove any cmdlets from them.  What we can, and will do, is to create a writable copy and make the necessary changes to our copied Management Role.

To create a new role called AD-Contact-Editors based off the built-in “Mail Recipient Creation”

New-ManagementRole –Name AD-Contact-Editors –Parent “Mail Recipient Creation”

Exchange 2010 RBAC - Creating New Management Role

Right now, our newly created AD-Contact-Editors role is a mirror copy of the original parent role.  Thus it has all the cmdlets and parameters the parent has.  Now we need to strip all of the unwanted cmdlets from our new role. Ultimately we want to leave in the bare minimum.

You could strip each cmdlet out one at a time.  For this exercise it will be easier to remove all but one and then add a couple back in.  We cannot remove all of the role entries, which is why we leave one behind.  Let’s leave just Get-MailContact in the role.  To remove the role entries, we shall pass the unwanted cmdlets through to Remove-ManagementRoleEntry.  So all cmdlets that are not Get-MailContact will be removed.

Exchange 2010 RBAC - Removing Unwanted Management Role Entries

Top Tip:

Always check the objects that are returned prior to piping to the remove cmdlet.

So in this case we would run

Get-ManagementRoleEntry  -Identity AD-Contact-Editors* | Where-Object {$_.Name -ne 'Get-MailContact'}

Only when we are happy with what is returned should we run:

Get-ManagementRoleEntry  -Identity AD-Contact-Editors* | Where-Object {$_.Name -ne 'Get-MailContact'} | Remove-ManagementRoleEntry

If we check to see what’s now in the AD-Contact-Editors Management Role, it only contains the Get-MailContact cmdlet.

Get-ManagementRoleEntry –Identity AD-Contact-Editors*

Exchange 2010 RBAC - Checking Current Management Role Entries

Let’s add back New-MailContact using New-ManagementRoleEntry

Add-ManagementRoleEntry –Identity “AD-Contact-EditorsNew-MailContact”

Exchange 2010 RBAC - Adding Required Management Role Entries Back In

If we try and test this in ECP, we only have the capabilities to manage ourselves at this point so we need to add a couple more cmdlets back in.  We need to add

  • Remove-MailContact
  • Get-Recipient
  • Set-Recipient

Add-ManagementRoleEntry –Identity “AD-Contact-EditorsRemove-MailContact”

Add-ManagementRoleEntry –Identity “AD-Contact-EditorsGet-Recipient”

 

This should give you a management role that looks like this:

Get-ManagementRoleEntry “AD-Contact-Editors”

Exchange 2010 RBAC - Checking Required Management Role Entries

In case you are wondering why we have not added Set-MailContact to our custom role, there is a very good reason.  Custom Management Roles can only contain cmdlets and parameters that exist in their parent role.  If you check out the original contents of the custom role there is no Set-MailContact cmdlet in it, thus we can never add it to this role.

Assign the new role to a user.  User-10 will our fluffy and cute guinea pig.

New-ManagementRoleAssignment -Role AD-Contact-Editors -User User-10

Exchange 2010 RBAC - Assigning Custom Management Role Directly To Mailbox

To check that the Management Role was correctly assigned, we could run:

Get-ManagementRoleAssignment -Role AD-Contact-Editors

Time to test!

Testing & Validation

Probably the most important portion is testing and validation, and is often overlooked.

Test, test and test like you mean it Smile.

You can allow your end users to use PowerShell to manage create and edit the contacts, though I suspect the admin assistant that wants to use PowerShell will be few and far between….

Chances are they will like the nice graphical ECP interface, so let’s focus on that.

Bellow is what our test user (user-10) sees in ECP.  Note this is the manage my org view.  All they can see is the External Contacts tab.

Exchange 2010 ECP Showing User Editing Contacts

In their Groups ECP view they see:

Exchange 2010 ECP Showing User Editing Groups

And they can add the contacts to the DG

Exchange 2010 ECP User Editing Editing Distribution Group

Outlook also will show the correct directory information.  This is how Outlook 2010 sees the DG:

Outlook 2010 Showing Same Directory Information

Conclusion

RBAC in Exchange 2010 allows for a lot of great customisation to the default built-in roles.  For many customers the default roles will work fine, and if not they can be easily customised.

For the users that you grant these permissions they will be able to manage/edit/delete all the contacts in the organisation.

This blog shows the basic framework for editing and customising RBAC.  By following the same process of identifying the role you need to work with, copying it and then customising the copied role you can provide a tailored solution to meet your organisation’s needs.

This will allow for the a basic mail enabled contact to be created.  If you want the additional contact fields to be edited then please see this post.

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

4 Comments

  1. There is a difference between your screen shots and the syntax shown in the documentation. For example, your syntax here:

    Get-ManagementRoleEntry -Identity AD-Contact-Editors* | Where-Object {$_.Name -ne 'Get-MailContact'}

    Is different from the screen shot :

    Get-ManagementRoleEntry -Identity AD-Contact-Editors\* | Where-Object {$_.Name -ne 'Get-MailContact'}

  2. Hi, just did this with Exchange 2016. Role is right, but when you go to the ECP, i got an access refused...
    Do you know what can i do to solve this ?

    • Ok, i gave only the AD-Contact-Editors-Recipients RG from your other article. with both, it works (as you said).
      Thanks for this and : It still working with Exchange 2016. 🙂

      • Thanks for the note!
        Exchange Server RBAC really has not changed much 🙂

        Cheers,
        Rhoderick

Leave a Reply

Your email address will not be published. Required fields are marked *