1. Managing Exchange Server 2013 Using the Exchange Admin Center, PowerShell, and RBAC
Martin Coetzer | Portfolio Architect, Microsoft Learning eXperiences
​Andi Conrad | Consultant, IT Service Management, Microsoft Services

2. Course Topics Managing Exchange Server 2013
01 | Exchange Management Tools
02 | What is RBAC?
03 | RBAC Components
04 | Putting RBAC together
05 | Troubleshooting RBAC
06 | Auditing in Exchange Server 2013

3. 03 | RBAC components
Martin Coetzer | Portfolio Architect, Microsoft Learning eXperiences
​Andi Conrad | Consultant, IT Service Management, Microsoft Services

4. Module Overview Roles Role Entries Role Groups Role Assignment Policy
Scope
Custom Role Groups
Explicit Scope Filters
Exclusive Scopes

5. Glue The Triangle of Power Where Who What
These are the 4 high level pieces of RBAC. The details follow on the upcoming slides.

6. Management Role
A management role is a configuration object that defines tasks are made available to a user to which the role has been assigned
There are two types of management roles:
Built-in management roles
These are pre-defined roles provided by Exchange
Custom Management Roles
These are copies of built-in roles; they can be customized to meet needs of an organization
They are child objects of the built-in management roles and inherit all the attributes of the parent
Slide Objective: Explain management role.
Instructor Notes:
Management Role - A management role defines the Exchange commands that are made available to the person or group assigned that role. A management roles configuration information includes a list of cmdlets and associated parameters, known as management role entries. There are two categories of management roles:
Built-In Management roles are default roles created by Exchange which provide all the basic access control needs of an organization.
Custom Management roles are copies of built-in roles that can be customized to meet specific access control needs of an organization.
What
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. What is a role? What Logical collection of cmdlets built around a task
AD Object
Can be a child of another role
PowerShell Commands
Get-ManagementRole
New-ManagementRole
Remove-ManagementRole
Roles define the action(s) that can be carried out. The actual actions are listed as role entries that describe which PowerShell cmdlets can be executed and what parameters in those PowerShell Cmdlets can be used.
Child roles always have the same permissions as their parent when they are first created. They can never be assigned tasks/actions that their parent role is not capable of carrying out. Also you cannot remove a capability from a parent while there is still a child role with that capability.
What

8. Management Role Entries
Management role entries are a list of Exchange tasks (cmdlets/parameters)
When a management role is assigned, the assignee has access to all the tasks in the list
Custom management role can be edited to remove cmdlets and/or parameters shouldn’t be available to role assignee
Built-in roles are read-only and cannot be edited to remove role entries
Entries that do not exist on a parent role cannot be added to a child role
Slide Objective: Explain management role entries.
Instructor Notes:
Management role entries are stored as an attribute of management role objects. This multi-valued string attribute holds the information that defines the tasks available to the given management role. Management role entries are managed using Exchange management tasks.
If a parameter for a given cmdlet is not included as an entry, the parameter is not accessible for that cmdlet via that role. If a user attempts to execute a task that is not included as an entry on any management role assignment that applies to the user, the task fails. The manner in which the task fails varies according to the management interface used and is covered in detail later in this module.
What
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Role Entries What Smallest building block of a Role
Collection of one cmdlet and allow parameters
PowerShell Commands
Add-ManagementRoleEntry
Get-ManagementRoleEntry
Remove-ManagementRoleEntry
Set-ManagementRoleEntry
Role entries define the actions a Role is capable of executing. They are automatically inherited when you create a child role and can be stripped out as required. In some cases the easiest thing to do is create a child role, remove all role entries and then add back the handful of role entries you need to give the role so it can carry out the minimal tasks you are planning to assign to it.
What

10. Management Role Assignment
A management role assignment is a configuration object that links a management role to an assignee
Assignment can be made:
Directly to a specific user
Directly to a Universal Security Group (USG)
Adding users or other USGs as members in effect extends the Role Assignment to the members
Indirectly to a mailbox user though a Role Assignment Policy
Slide Objective: Explain management role assignment.
Instructor Notes:
Management Role Assignment - A management role assignment is the assignment of a management role either directly to a user or universal security group (USG) or indirectly to a user though a role assignment policy. Assigning a management role grants a user the ability to use the cmdlets and parameters defined in that management role’s entries.
Who
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Management Role Assignment Limitations
Multiple assignments can be made to a single assignee (user, USG, or policy), but an assignment can only point to 1 assignee
Once an assignment is made, it cannot be “switched” from one assignee to another
A new role assignment has to be created to point at a different assignee
Role Assignments are additive
At evaluation time, all roles that are assigned to a user directly, through USG membership and policy are considered and aggregated
Slide Objective: Explain management role assignment limitations.
Instructor Notes:
A given management role assignment only applies to a single user or USG. However, a user or USG can have several management role assignments.
If multiple management roles are assigned to a user, the management role entries from each management role are aggregated and applied. This means for example if a user is assigned the OrganizationManagement and MyOptions roles, the roles are combined and all the associated management role entries are available to the user.
Who
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Role Assignment Policy
A role assignment policy is a configuration object that allows assignment of roles to mailbox users
A role assignment is made to a role assignment policy that is in turn associated with a mailbox user
Linked to a mailbox user by an attribute on the user account
This association between mailbox user and policy can be by explicit policy assignment or by the assignment of a policy at provisioning time
Only one policy can apply to a user at a time
Exchange provides a default policy that applies the management roles for self-administration
Additional policies can be created as needed to apply other management roles
Slide Objective: Explain management role assignment policy.
Instructor Notes:
Role Assignment Policy - A role assignment policy allows the assignment of roles to end users in an easily managed process. A role assignment is associated with a policy that is in turn associated with an end-user. This association between end-user and policy can be either by explicit policy assignment or the assignment of a default policy at provisioning time.
Who
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Role Group
A role group is a USG used specifically for role assignment
Helpful for those that equate roles with security groups
Exchange tools are used to maintain, no need to switch to different interface for administration
Several default role groups are created by Exchange at install time
For example: Organization Management, Recipient Management, Public Folder Management
New Role Groups can be created as needed
All Role Groups are created and stored in the Microsoft Exchange Security Groups OU
Slide Objective:
Instructor Notes:
Role groups are used to map assignment of well known roles to USGs that can be controlled using Exchange administrative tools.
Who
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Role Group
A Flagged USG that has one or more roles assigned to it.
Role Group Flags:
msExchCoManagedByLink: CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=com;
msExchRecipientTypeDetails: ;
msExchVersion: ;
PowerShell commands
Get-RoleGroup
New-RoleGroup (creates and flags the USG)
Set-RoleGroup
Remove-RoleGroup
We don’t have any rules that say you must use a Role Group to assign permissions. Role Groups are a convenience for managing permissions and are very useful in environments where the split permissions model is employed because the Exchange Administrator will be able to create groups in AD to house the user to whom rights need to be assigned.
Who

15. Role Assignment Policies
Assign roles like Address Policies
Based on OPath Filter
Only one Policy per mailbox
Can only assign Self Service, “My” Roles
PowerShell Commands:
Get-RoleAssignmentPolicy
New-RoleAssignmentPolicy
Set-RoleAssignmentPolicy
Remove-RoleAssignmentPolicy
Role Assignment Policies determine the actions users can take to edit their own properties in the Exchange Control Panel. The policy is applied just like an Address Policy using an OPath filter, but is limited to the self-service roles. Just like EAPs there is a limit of one policy per mailbox.
Who

16. Management Scopes Where
Management scopes define the extent of control for a management role assignment
When you assign a management role, a scope is used to target specifically what objects the assignee can access and act upon
Management scopes apply to recipient -or configuration objects
Scopes can be defined using objects like Exchange servers, OUs, filterable properties on Exchange server, Recipient objects, and more
Slide Objective: Explain management scopes.
Instructor Notes:
Management Scope - A management role scope defines the extent of control for a management role assignment. When you assign a management role, management scopes can be used to target specifically what objects the assignment can control. Scopes can be defined by servers, organizational units, filters on server or recipient objects, and more.
Where
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Management Scopes – Types
Two types of Scopes: Implicit and Explicit
Implicit scopes are pre-defined on default management roles and apply to objects appropriate to the role
Range from broad (organization) to narrow (self)
Custom roles inherit the implicit scope from their parent role
Explicit scopes are administrator defined and can be:
A management scope configuration object defined in advance by the administrator
A custom scope defined at the time of role assignment
If an explicit scope is not used during role assignment, the implicit scope of the management role is always used
Slide Objective: Explain management scopes.
Instructor Notes:
Scopes can be inherited from the management role, applied via filters, or applied using a static server list. Using filters, you can create a custom scope (also known as an explicit scope) that specifies either recipient object properties or server object properties. For example, you can create a scope that applies only to recipients that have the value "Engineering" in the Department property of a mailbox enabled account. Or, you can create a scope that applies only to servers within the “Redmond” AD DS site. Additionally, you can specify a base organizational unit (OU). If you specify a base OU, the filters are applied only to objects within that OU.
The built-in management roles come with pre-defined scopes (also known as implicit scopes) that are used if you don't specify any custom scopes during assignment. Each role has three scope types: ImplicitDomainReadScope, ImplicitDomainWriteScope and ImplicitConfigScope.
ImplicitDomainReadScope determines what objects the user assigned the management role is allowed to read from AD DS.
ImplicitDomainWriteScope determines what objects the user assigned the management role is allowed to modify in AD DS.
ImplicitConfigScope determines what objects the user assigned the management role is allowed to modify in the Configuration naming context in AD DS.
If you don't specify a management role scope when you assign a role, the implicit read and implicit write scopes take effect. These implicit scopes control what objects the user can access or modify.
Where
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. What is a Scope Where PowerShell Commands: OPath Filter
Restrict where the assignee can make changes
Write scope is always <= to the read scope
PowerShell Commands:
Get-ManagementScope
New-ManagementScope
Set-ManagementScope
Remove-ManagementScope
Example Opath filter is on next slide.
If a scope is not defined Exchange has built in implicit scopes that are automatically applied (the Implicit scopes from the E2010 RBAC training module on page 35 are: Organization, MyGAL, Self, MyDistributionGroups, OrganizationConfig, and None). For most cmdlets the default implicit scope gives each command access to the entire Org. You only need to define a scope if you wish to restrict the user to a smaller subset of objects. For example you might want to make sure the Administrators and help desk personnel from Australia cannot modify objects in Europe.
Separate Read and write scopes can be defined. The write scope can never exceed the capabilities of the read scope. It can be equal or it can allow access to fewer items.
Where

19. What Can an Explicit Scope Filter on?
Anything you can use with OPath
Group Membership
Custom Attributes
Office Number
Uses Standard OPath syntax for filters
{ memberofGroup –eq “Cn=mygroup,cn=ou,dc=Domain,dc=org}
Relative Scopes and OU scope built in for quick, large coverage
Relative scopes are predefined by Exchange They override implicit scopes and can be set at the time of a role assignment. The Predefined Relative Scopes available in Exchange 2010 are listed on page 37 of the RBAC training. They are: Organization, Self and MyDistributionGroups. All three apply to Recipient properties.
Where

20. Exclusive Scopes Where Further restrict access to edit object Sales
Only exclusive scope assignees can edit objects within that scope
Seattle Users
Executives
Sales
Information Technology
An administrator who has access to the Seattle Users Scope cannot access objects that are part of the Executives or the Information Technology scope.
If there are users or objects that are part of both Executives and Information Technology then only a user who is assigned both Exclusive scopes can administer those objects.
A user can have multiple scopes courtesy of multiple Role Assignments
Where

21. Role Assignment – The Glue
Links a Role to An Assignee
One Role to One Assignee
Multiple Roles require multiple assignments
PowerShell Commands:
Get-ManagementRoleAssignment
New-ManagementRoleAssignment
Set-ManagementRoleAssignment
Remove-ManagementRoleAssignment
A role assignee can be a user, USG or Role Group. Each assignment links a single role to a single assignee. To assign X roles to a particular Administrator you need to create X Role Assignments.
Glue

22. New-ManagmentRoleAssignment
Sets each of the corners of the Triangle
-Role <role name>
-CustomRecipientWriteScope <scope name>
-RecipientRelativeWriteScope <scope name>
-RecipientOrganizationalUnitScope <scope name>
-ExclusiveRecipientWriteScope <scope name>
-CustomConfigWriteScope <scope name>
-ExclusiveConfigWriteScope <scope name>
-SecurityGroup <USG or Role Group name>
-Users
-Policy
What
Where
The scope parameters are mutually exclusive. For example you cannot specify a ExclusiveConfigWriteScope and a CustomConfigWriteScope.
The Who parameters are also mutually exclusive. You cannot specify a security group and a user. You must choose one of the three to apply the “glue” to .
Who
Glue

23. Configuring Custom Role Groups
Demo
Configuring Custom Role Groups

24. Summary
RBAC Components