Proper permission play an important role in Exchange administration. One of my customers came across an issue on permission. He would like to know the minimal permission when connecting to a mailbox.
1. If you just want administrators to connect mailbox through PowerShell, follow the steps below.
a. Create new management role.
New-ManagementRole -Name “connect-mailbox test1” -Parent “Mail Recipients”
From the picture below, we can see, there are too many role entries about this management role.
b. Use the following cmdlet to remove other role entries except the connect-mailbox role entry.
Get-ManagementRoleEntry "connect-mailbox test1\*" | Where {$_.name -ne "Connect-Mailbox"} | Remove-ManagementRoleEntry
c. Then you can use the following cmdlet to check the result.
d. New role group
e. Add the user you want to grant this connect-mailbox permission to this role group through EAC.
f. Here is result when I logon to connect the mailbox.
Note: Using the above permission, you only can connect mailbox using PowerShell.
2. If you want to connect mailbox via EAC, you need more permissions:
Get-user, Get-recipient, Get-mailbox and Get-MailboxStatistics role entries in the View-Only Recipients role; Get-MailboxServer role entry in the View-only Configuration role; Connect-Mailbox role entry in the
Mail recipients role. Here are the detailed steps to assign it.
a. Create New Management Role named View-Only Recipients test.
New-ManagementRole -Name “View-Only Recipients test” -Parent “View-Only Recipients”
b. Also, there are too many role entries of the View-Only Recipients role. Here are some of these role entries.
c. Remove other entries except the Get-Mailbox role entry.
Get-ManagementRoleEntry "View-Only Recipients test\*" | Where {$_.name -ne "Get-Mailbox"} | Remove-ManagementRoleEntry
d. Add Get-User, Get-recipient, Get-Mailboxstatistics role entries to this role.
Add-ManagementRoleEntry "View-Only Recipients test\Get-User"
Add-ManagementRoleEntry "View-Only Recipients test\Get-recipient"
Add-ManagementRoleEntry "View-Only Recipients test\Get-Mailboxstatistics"
e. All the role entries of View-Only Recipients test role are listed here.
f. Create a new management role named View-Only Configuration test.
New-ManagementRole -Name “View-Only Configuration test” -Parent “View-Only Configuration”
g. Remove all but one Get-MailboxServer role entry from the role.
Get-ManagementRoleEntry "View-Only Configuration test\*" | Where {$_.name -ne "Get-MailboxServer"} | Remove-ManagementRoleEntry
h. New Role Group named connect mailbox via EAC.
New-RoleGroup -Name “connect mailbox via EAC”
i. Add the above three custom role to this role group, and then add amy01 as the member of the connect mailbox via EAC role group.
j. Logon to EAC to connect mailbox.
References:
http://blogs.technet.com/b/agobbi/archive/2009/12/11/understanding-and-implementing-rbac.aspx
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.