Exchange 2010 PowerShell Access and Commands for Departmental IT Staff. (CatNet OU Admins)

(1)

Exchange 2010

PowerShell

Access and

Commands for

Departmental IT

Staff

(CatNet OU Admins)

(2)

UAConnect and Role Based Access Control

Exchange 2010 introduced a new permissions model called Role Based Access Control (RBAC). The flexible and granular nature of this model allows UITS to delegate very specific actions to OU Admins; providing full control of Exchange objects within the delegated OU structure and providing sufficient control over NetID based accounts to allow Departmental IT staff to support the users for which they are responsible. This document describes the custom management roles created for OU Admins and

provides a full listing of all the PowerShell cmdlets OU Admins have access to. *For more information on RBAC see: Understanding Role Based Access Control

Role Groups and how they are assigned

Role Groups are collections of roles that can be bound to a specific scope (i.e. an OU or a group). Assigning a role group to a user (or group) provides the user (or group members) with access to all of the cmdlets contained within the role group.

In UAConnect, each group of OU Admins has at least two role groups assigned. The role groups are configured as follows:

Role Group Name: <DEPT>-NetID-Admin (i.e. UITS-NetID-Admin) Assigned Roles:

 OUAdmin NetID Mail Recipients

 OUAdmin NetID Mail Recipient Creation

 OUAdmin Recipient Policies

 OUAdmin Message Tracking

 OUAdmin Monitoring

 OUAdmin Role Management

 OUAdmin NetID Active Directory Permissions

Role Group Name: <DEPT>-OUAdmin (i.e. UITS-OUAdmin) Assigned Roles:

 OUAdmin Dept Mail Recipients

 OUAdmin Recipient Policies

 OUAdmin Message Tracking

 OUAdmin Monitoring

 OUAdmin Dept Mail Recipient Creation

 OUAdmin Dept Mailbox Search

 OUAdmin Dept Distribution Groups

 OUAdmin Dept Mailbox Import Export

 OUAdmin Dept Retention Management

 OUAdmin Dept View-Only Audit Logs

 OUAdmin Role Management

 OUAdmin Security Group Creation and Membership

 OUAdmin Dept Active Directory Permissions

(4)

Each role group has a specific scope within which the OU Admins can act.

 The <DEPT>-NetID-Admin role group is assigned a custom write scope labeled

“<DEPT>-NetIDRecipients” which is tied to a group of the same name. The group contains a roll-up of all the payroll groups the OU Admins are responsible for supporting. While management of the “<DEPT>-NetIDRecipients must be done manually by the Enterprise Admins, the payroll groups are managed automatically based on EDS data.

 The <DEPT>-OUAdmin role group scope is set to the delegated OU for the department. The cmdlets available to the role group can be applied to objects within the delegated OU and all child OUs.

Custom Management Roles for Departmental IT

 OUAdmin NetID Mail Recipients (parent "Mail Recipients"): This role primarily provides the ability to view information regarding mailboxes and mailusers, but it also allows for some parameters such as mailbox permissions and send on behalf of rights to be set

 OUAdmin NetID Mail Recipient Creation (parent “Mail Recipient Creation”): This role allows setting mailbox folder permissions.

 OUAdmin NetID Active Directory Permissions (parent “Active Directory Permissions”): This role permits setting send as rights on mailboxes.

 OUAdmin Dept Mail Recipients (parent "Mail Recipients"): This role provides near full control of mailboxes and other mail recipients.

 OUAdmin Recipient Policies (parent "Recipient Policies"): This role allows viewing a subset of the recipient policies.

 OUAdmin Message Tracking (parent "Message Tracking"): This role provides access to view and search the message tracking logs and reports.

 OUAdmin Monitoring (parent "Monitoring"): This role allows access to test various connectivity options when troubleshooting mailbox issues.

 OUAdmin Dept Mail Recipient Creation (parent "Mail Recipient Creation"): This role provides the ability to create and delete mail recipients.

 OUAdmin Dept Mailbox Search (parent "Mailbox Search"): This role allows for searching mailboxes.

 OUAdmin Dept Distribution Groups (parent "Distribution Groups"): This role allows creation, manipulation and deletion of distribution groups; standard and dynamic.

 OUAdmin Dept Mailbox Import Export (parent "Mailbox Import Export"): This role permits mailbox exports and imports.

 OUAdmin Dept Retention Management (parent "Retention Management"): This role provides access to view and set junk email configuration.

 OUAdmin Dept View-Only Audit Logs (parent "View-Only Audit Logs"): This role allows for searching mailbox audit logs.

 OUAdmin Role Management (parent "Role Management"): This role allows viewing of the available management roles and scopes and how they are applied.

 OUAdmin Security Group Creation and Membership (parent "Security Group Creation and Membership"): This role allows manipulation of group membership.

(5)

 OUAdmin Support Diagnostics (parent "Support Diagnostics"): This role provides access to calendar and mailbox diagnostic logs.

 OUAdmin Dept Active Directory Permissions (parent "Active Directory Permissions"): This role permits viewing and setting Active Directory permissions.

Available Cmdlets (organized by role)

OUAdmin NetID Mail Recipients cmdlets

 Add-MailboxFolderPermission  Get-ActiveSyncDevice  Get-ActiveSyncDeviceStatistics  Get-ActiveSyncMailboxPolicy  Get-AddressBookPolicy  Get-CalendarNotification  Get-CalendarProcessing  Get-InboxRule  Get-LogonStatistics  Get-Mailbox  Get-MailboxAutoReplyConfiguration  Get-MailboxCalendarConfiguration  Get-MailboxCalendarFolder  Get-MailboxFolderPermission  Get-MailboxFolderStatistics  Get-MailboxJunkEmailConfiguration  Get-MailboxMessageConfiguration  Get-MailboxPermission  Get-MailboxRegionalConfiguration  Get-MailboxSpellingConfiguration  Get-mailboxStatistics  Get-MailUser  Get-OfflineAddressBook  Get-OrganizationalUnit  Get-OwaMailboxPolicy  Get-PhysicalAvailabilityReport  Get-Recipient  Get-ServiceAvailabilityReport  Get-ServiceStatus  Get-TextMessagingAccount  Get-User  Get-UserPrincipalNamesSuffix  Remove-MailboxFolderPermission  Test-MAPIConnectivity

Cmdlets with customized parameter availability

 Set-Mailbox -Parameters Identity, Confirm, GrantSendOnBehalfTo, WhatIf

 Set-MailUser -Parameters Identity, Confirm, GrantSendonBehalfTo, UseMapiRichTextFormat, UsePreferMessageFormat, WhatIf

 ADD-MailboxPermission -Parameters Identity, AccessRights, Confirm, User, AutoMapping, InheritanceType, WhatIf

 Remove-MailboxPermission -Parameters Identity, AccessRights, Confirm, User, InheritanceType, WhatIf

OUAdmin NetID Mail Recipient Creation cmdlets

 Get-Mailbox  Set-MailboxFolderPermission

OUAdmin NetID Active Directory Permissions

 Add-ADPermission

 Get-ADPermission

(6)

OUAdmin Dept Mail Recipients

 Add-MailboxFolderPermission  Add-MailboxPermission  Clear-ActiveSyncDevice  Connect-Mailbox  Disable-InboxRule  Disable-Mailbox  Disable-MailContact  Disable-MailUser  Disable-ServiceEmailChannel  Enable-InboxRule  Enable-Mailbox  Enable-MailContact  Enable-MailUser  Enable-ServiceEmailChannel  Get-ActiveSyncDevice  Get-ActiveSyncDeviceStatistics  Get-ActiveSyncMailboxPolicy  Get-AddressBookPolicy  Get-CalendarNotification  Get-CalendarProcessing  Get-Contact  Get-InboxRule  Get-LogonStatistics  Get-Mailbox  Get-MailboxAutoReplyConfiguration  Get-MailboxCalendarConfiguration  Get-MailboxCalendarFolder  Get-MailboxFolderPermission  Get-MailboxFolderStatistics  Get-MailboxJunkEmailConfiguration  Get-MailboxMessageConfiguration  Get-MailboxPermission  Get-MailboxRegionalConfiguration  Get-MailboxSpellingConfiguration  Get-mailboxStatistics  Get-MailContact  Get-MailUser  Get-OfflineAddressBook  Get-OrganizationalUnit  Get-OwaMailboxPolicy  Get-PhysicalAvailabilityReport  Get-Recipient  Get-ServiceAvailabilityReport  Get-ServiceStatus  Get-TextMessagingAccount  Get-User  Get-UserPrincipalNamesSuffix  New-InboxRule  New-MailboxRepairRequest  Remove-ActiveSyncDevice  Remove-InboxRule  Remove-MailboxFolderPermission  Remove-MailboxPermission  Set-CalendarProcessing  Set-Contact  Set-InboxRule  Set-Mailbox  Set-MailboxAutoReplyConfiguration  Set-MailboxCalendarConfiguration  Set-MailboxCalendarFolder  Set-MailboxJunkEmailConfiguration  Set-MailboxMessageConfiguration  Set-MailboxRegionalConfiguration  Set-MailboxSpellingConfiguration  Set-MailContact  Set-MailUser  Set-User  Test-MAPIConnectivity

(7)

OUAdmin Recipient Policies cmdlets

 Get-ActiveSyncMailboxPolicy

 Get-OwaMailboxPolicy

 Get-ThrottlingPolicyAssociation

OUAdmin Message Tracking cmdlets

 Get-Mailbox  Get-MessageTrackingLog  Get-MessageTrackingReport  Get-Recipient  Resume-MailboxExportRequest  Search-MessageTrackingReport

OUAdmin Monitoring cmdlets

 get-availabilityreportoutage  get-clientaccessserver  get-mailbox  get-recipient  test-activesyncconnectivity  test-calendarconnectivity  test-ecpconnectivity  test-imapconnectivity  test-mailflow  test-mapiconnectivity  test-outlookconnectivity  test-outlookwebservices  test-owaconnectivity  test-popconnectivity  test-powershellconnectivity  test-smtpconnectivity  test-webservicesconnectivity

OUAdmin Dept Mail Recipient Creation cmdlets

 Get-ActiveSyncMailboxPolicy  Get-AddressBookPolicy  Get-Mailbox  Get-MailContact  Get-MailUser  Get-OrganizationalUnit  Get-Recipient  Get-SharingPolicy  Get-ThrottlingPolicyAssociation  Get-User  New-Mailbox  New-MailContact  New-MailUser  Remove-Mailbox  Remove-MailContact  Remove-MailUser  Set-MailboxFolderPermission

OUAdmin Dept Mailbox Search cmdlets

 Get-Mailbox  Get-MailboxExportRequest  Get-MailboxExportRequestStatistics  Get-MailboxSearch  Get-Recipient  New-MailboxExportRequest  New-MailboxSearch  Remove-MailboxExportRequest  Remove-MailboxSearch  Search-Mailbox  Set-MailboxExportRequest  Set-MailboxSearch

(8)

 Start-MailboxSearch

 Stop-MailboxSearch

 Suspend-MailboxExportRequest

OUAdmin Dept Distribution Groups cmdlets

 Add-DistributionGroupMember  Disable-DistributionGroup  Enable-DistributionGroup  Get-DistributionGroup  Get-DistributionGroupMember  Get-DynamicDistributionGroup  Get-Group  Get-Mailbox  Get-MailUser  Get-OrganizationalUnit  Get-Recipient  Get-ResourceConfig  Get-User  New-DistributionGroup  New-DynamicDistributionGroup  Remove-DistributionGroup  Remove-DistributionGroupMember  Remove-DynamicDistributionGroup  Set-DistributionGroup  Set-DynamicDistributionGroup  Set-Group  Set-OrganizationConfig  Update-DistributionGroupMember

OUAdmin Dept Mailbox Import Export cmdlets

 Export-Mailbox  Get-Mailbox  Get-MailboxExportRequest  Get-MailboxExportRequestStatistics  Get-MailboxImportRequest  Get-MailboxImportRequestStatistics  Import-Mailbox  New-MailboxExportRequest  New-MailboxImportRequest  Remove-MailboxExportRequest  Remove-MailboxImportRequest  Resume-MailboxExportRequest  Resume-MailboxImportRequest  Search-Mailbox  Set-ADServerSettings  Set-MailboxExportRequest  Set-MailboxImportRequest  Suspend-MailboxExportRequest  Suspend-MailboxImportRequest

OUAdmin Dept Retention Management cmdlets

 Get-MailboxJunkEmailConfiguration  Set-MailboxJunkEmailConfiguration

OUAdmin Dept View-Only Audit Logs cmdlets

 new-mailboxauditlogsearch  search-mailboxauditlog

OUAdmin Role Management cmdlets

 Get-DistributionGroup  Get-DistributionGroupMember  Get-Group  Get-Mailbox  Get-ManagementRole  Get-ManagementRoleAssignment

(9)

 Get-ManagementRoleEntry  Get-ManagementScope  Get-OrganizationalUnit  Get-Recipient  Get-RoleAssignmentPolicy  Get-RoleGroup  Get-RoleGroupMember  Get-SecurityPrincipal  Get-User

OUAdmin Security Group Creation and Membership cmdlets

 Update-DistributionGroupMember  Set-Group  Set-DistributionGroup  Set-ADServerSettings  Remove-DistributionGroupMember  Remove-DistributionGroup  New-DistributionGroup  Get-Recipient  Get-OrganizationalUnit  Get-Mailbox  Get-DistributionGroupMember  Get-DistributionGroup  Add-DistributionGroupMember