A lot expected from this feature as this has been a pain area for all Exchange administrators for years. Delegating the permissions to different people in a large organization based on the requirement, no less, no more!
In this post, I will cover creating a Role group for mailbox management tasks such as creating mailbox, deleting mailbox, DL etc. that is all user/group management within Exchange and scope the permissions based on the OU.
I will not cover the basics and details of RBAC and its components, for this you can look at following links.
http://technet.microsoft.com/en-us/library/dd298183.aspx
When I looked to do it for myself and my org I came across following blog, which tells us how to do it via shell. nice stuff!
http://sysadmin-talk.org/2010/04/5-steps-to-heaven-creating-a-custom-rbac-role-in-exchange-2010/
Although I love shell, I was looking to do it via GUI. Why? It depends on my mood to use shell or EMC, until we have GUI around!
Ok, lets get started.
From where can we do it? Open EMC, go to toolbox. Double click to open RBAC from the details pane. It will open a IE browser and you will have to login with your Exchange admin credentials or you can go directly to Exchange Control Panel (ECP) using the internal or external URL of ECP you configured. It may be something like https://mail.domain.com/ecp or https://casfqdn/ecp
Click on the Roles & Auditing option on left hand side. Under Administrator Roles, you will get to see different role groups created by Exchange setup. Find and select the Recipient Management and click copy.
New Role group Windows will open. Specify a name for the new role group, may be EU_FR_localadmin, click on the organization Unit under Write Scope and type in the path to the OU you want to grant access to in the format – domain.local/FR/Users. Scroll down and click Add under Members. Select the users/group you want to provide access.
This is going to create a group in your root domain in the Exchange Security Groups OU along with other groups. So wait for replication if you operate in multiple domains and you are good to go.
One question comes here is what all permissions this role group is going to grant? Ok, we have made a copy of built-in Recipient Management role group, which has a set of roles assigned to it. You can see the roles in the new role group windows and we will have to use following resources to understand the permissions we are granting as Recipient Management.
List of roles in the default Recipient Management Role group:
http://technet.microsoft.com/en-us/library/dd298028.aspx
List of built in roles to see the permissions they have:
http://technet.microsoft.com/en-us/library/dd638077.aspx
Post back comments if you have any questions, will try to answer!
