Hello, I am running Exhange 2010 SP2 rollup 1. I have two cas/HT boxes with a cas array and two mbx setup on a dag. I work for a school district. I am trying to setup a way for principals of schools to set the OOF of teachers when they are away. I would like to use RBAC but have never done so. I would like to run this by some of you and see what you think. I only want the principals to have the right to reset/set OOF. 1) Create Management Role - Principal Group (Group Already exists in AD) so do I just re-assign it in Exchange? 2) Create Scope - This would be All teachers at a school (This group already exists in AD) Can i use it in AD if it's mail enabled? 3) Set permissions - What would be the permissions for only setting OOF on Exchange 2010 SP2? I know that there are a lot of built in ones but can't seem to find anything related to only OOF. Any help or comments would be greatly appreciated.

When we run Get-ManagementRoleEntry "*\Set-MailboxAutoReplyConfiguration", you will find that admin whom is assigned "Mail Recipients" & "User Options" Role can set OOF for end users So a user or group which has Management role Mail recipients and User options can set OOF for end users. 1, create a custom role based on the either role: Create a Role http://technet.microsoft.com/en-us/library/dd351214.aspx 2, remove other unnecessary entriew from the custom role: Remove a Role Entry from a Role http://technet.microsoft.com/en-us/library/dd297947.aspx 3, assign the role to somebody: Add a Role to a User or USG http://technet.microsoft.com/en-us/library/dd351056.asp While assigning management role to group or user you can define the scope based on custom filters or OU New-ManagementRoleAssignment -Role "Mail Recipient Creation" -SecurityGroup "SG name" -RecipientOrganizationalUnitScope OU namePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs: http://messagingserversupport.com

Hello Hasnain, Thanks for the quick reply. I think I understand and will try it out. The only problem I have it that in your STEP 3, you have a dead link. So my question is, can you set the scope to a mail enabled USG rather than an OU? Thanks.

For that you will have to create a management scope with custom filters.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs: http://messagingserversupport.com

Perfect. I will give this a shot with one of my custom attributes. Thanks for the help.

Actually one more question. Create the custom role - Principals School A Give that role Set-MailboxAutoReplyConfiguration Give the scope of custom attribute of X (school/teachers) So it would look like this? New-ManagementRoleAssignment -Role "Principals School A" -CustomAttribute1 SchoolA And repeat for each school. Does that make sense?

Run the command to create Copy of the management role New-Managementrole http://technet.microsoft.com/en-us/library/dd298073.aspx Remove role entries - http://technet.microsoft.com/en-us/library/dd297947.aspx#RemoveMultipleEntriesFromRole Remove-ManagementRoleEntry <management role>\<management role entry> Create custom scope - http://technet.microsoft.com/en-us/library/dd351083.aspx New-ManagementScope -Name <scope name> -RecipientRestrictionFilter <filter query> [-RecipientRoot <OU>] Now run the command - http://technet.microsoft.com/en-us/library/dd335193.aspx New-ManagementRoleAssignment -Name "Distribution Groups_North America Exec Assistants" -Role "Distribution Groups" -SecurityGroup "North America Exec Assistants" -CustomRecipientWriteScope "North America Recipients" Change names as per your scenario Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs: http://messagingserversupport.com

Thanks for the help! Much appreciated!