Separate Organization Exchange 2010 SP1 Administration
I have an Exchange 2010 SP1 forest with 4 AD sites. Each site is located in a different part of the world with the main headquarters here in America. Each site has a DC/GC and a single box with CAS/Hub/Mbx
role and services the local users in that site. I want to separate Exchange administrative dutes for each site so that the Exchange administrators located in that site can only fully administer that site and no others. How
could I do that? Doug Swanek
April 21st, 2011 5:27pm
RBAC will allow you to control what the users can and cannot manage.
You will need to configure custom scopes for both users and servers.
This is the top of the tree for the RBAC section.
http://technet.microsoft.com/en-us/library/dd298183.aspx
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2011 6:31pm
Hi Doug,
Simon is right, you can use RBAC to achieve the goal.
Some related documents for you:
Managing Administrator and Specialist Users
http://technet.microsoft.com/en-us/library/dd335101.aspx
Create a Role Group
http://technet.microsoft.com/en-us/library/dd638209.aspx
Add a Role to a Role Group
http://technet.microsoft.com/en-us/library/dd638202.aspx
Thanks,
Evan Liu
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 22nd, 2011 3:20am
Thanks for verifying this is possible. I assumed that RBAC was the answer, but not sure. So the key then would be to use a built-in Role group, such as the Organization Admins, then add the required users for each site and assign custom scopes
for each site? Or would I create a custom Management Role for each site, add the respective Exchange admins for each site and assign each custom Management role a custom scope. This confuses me just a bit because of the Organization Admins
role having the ability to control the entire forest's Exchange enviornment. Every example I've seen doesn't apply an org. Admin role to specific sites, it's always referring to this role as an all-encompasing, entire forest priviledge. If
you have all required Exchange admins in the Org. Admins built-in group, can you then assign custom scopes or would you need to separate each site with custom Management roles within the org. admin group then apply custom scopes? Forgive me for not quite
understanding this process. Would the below example work?
Built-in Organization Admins Group
Custom Management Role 1: Site A add required users, create custom scope to restrict all administration except for Site A
Custom Management Role 2: Site B " "
Custom Management Role 3: Site C " "
Custom Management Role 4: Site D " "Doug Swanek
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2011 6:45am
Thanks Evan, I've read the above articles several times, however, my brain is melting. My confusion with RBAC lies on the use of the Org. Admins group vs. Creating a custom Management Role. Does a Management Role need to
be placed in a Group? If so, wouldn't the entire group inherit all permissions regardless of the individual scopes? If a custom Management Role doesn't require the need to be assigned a management group, then assigning invidual management
scopes for each individual management role seems to make sense. Could you please clarify. Doug Swanek
April 22nd, 2011 6:57am
Another question. If Exchange Administration is localized to individual sites only, does this, would this go against Microsoft's best practices for organization administration? Does this present an unnecessary amount of administrative overhead when
attempting to identify cross-site issues? Doug Swanek
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2011 7:13am
Hi dswanek,
I would first create the Management Scopes for each site, this will let the admins manage all server in the specified Active Directory site.
New-ManagementScope -Name "Server_Management-Site1_Scope" -ServerRestrictionFilter {ServerSite -eq "CN=Site1,CN=Sites,CN=Configuration,DC=contoso,DC=com"}
New-ManagementScope -Name "Server_Management-Site2_Scope" -ServerRestrictionFilter {ServerSite -eq "CN=Site2,CN=Sites,CN=Configuration,DC=contoso,DC=com"}
New-ManagementScope -Name "Server_Management-Site3_Scope" -ServerRestrictionFilter {ServerSite -eq "CN=Site3,CN=Sites,CN=Configuration,DC=contoso,DC=com"}
New-ManagementScope -Name "Server_Management-Site4_Scope" -ServerRestrictionFilter {ServerSite -eq "CN=Site4,CN=Sites,CN=Configuration,DC=contoso,DC=com"}
http://technet.microsoft.com/en-us/library/dd335137.aspx
Second, create new Role Group for each site and add ManagementRoles, for this example I added all ManagmentRoles from the default “Server Management” RoleGroup.
New-RoleGroup "Server_Management-Site1_RoleGroup" -Roles "Database Copies","Databases","Exchange Connectors","Exchange Server Certificates","Exchange Servers","Exchange Virtual
Directories","Monitoring","POP3 And IMAP4 Protocols","Receive Connectors","Transport Queues" –Members "admin1" –ManagedBy "your_admin_account" -CustomConfigWriteScope "Server_Management-Site1_Scope"
New-RoleGroup "Server_Management-Site2_RoleGroup" -Roles "Database Copies","Databases","Exchange Connectors","Exchange Server Certificates","Exchange Servers","Exchange Virtual
Directories","Monitoring","POP3 And IMAP4 Protocols","Receive Connectors","Transport Queues" –Members "admin2" –ManagedBy "your_admin_account" -CustomConfigWriteScope "Server_Management-Site2_Scope"
New-RoleGroup "Server_Management-Site3_RoleGroup" -Roles "Database Copies","Databases","Exchange Connectors","Exchange Server Certificates","Exchange Servers","Exchange Virtual
Directories","Monitoring","POP3 And IMAP4 Protocols","Receive Connectors","Transport Queues" –Members "admin3" –ManagedBy "your_admin_account" -CustomConfigWriteScope "Server_Management-Site3_Scope"
New-RoleGroup "Server_Management-Site4_RoleGroup" -Roles "Database Copies","Databases","Exchange Connectors","Exchange Server Certificates","Exchange Servers","Exchange Virtual
Directories","Monitoring","POP3 And IMAP4 Protocols","Receive Connectors","Transport Queues" –Members "admin4" –ManagedBy "your_admin_account" -CustomConfigWriteScope "Server_Management-Site4_Scope"
http://technet.microsoft.com/en-us/library/dd638181.aspx
You also need to create a Role Group for Recipients, but it’s easy done from the ECP in OWA. Don’t forget to change the write scope to a OU where you want the admins
to manage the users in the a Recipients Role Group.
Do not add the admins to “Organization Management” Role Group, this will give them full permissions to all Exchange server in the Organization.
Adam Bokiniec
April 22nd, 2011 7:57am
Thank you Adam. I appreciate your expertise in this area. This is a HUGE HELP, thanks again.Doug Swanek
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2011 9:24am