Handing out only Send-as permissions with Exchange 2010 RBAC

On a project I am currently working on, the management of mail recipients was handed over from the build/migrate team, to the administrators after the mail was migrated from the old mail system to Exchange 2010

We had to restrict the administrators temporarily from other settings, like server and organization settings, even some small restriction on the normal Mail recipient management (setting and adjusting mailbox quota’s). Not to be annoying, but to keep responsibilities clear.

When working with Exchange 2010 granular administration right are very much possible thanks to Role Based Access Control. For our purposes we mostly needed the permissions from an already existing management role “Mail Recipients”. This became the parent role for our custom role, in which some parameters were deleted. See here (first making the new role, second removing unwanted parameters from the set-mailbox cmdlet):

New-ManagementRole -Name "Mail Recipients No Quota" -Parent "Mail Recipients"

Set-ManagementRoleEntry -identity "Mail Recipients No Quota\Set-Mailbox" -Parameters IssueWarningQuota, ProhibitSendQuota, ProhibitSendReceiveQuota, UseDatabaseQuotaDefaults -RemoveParameter

Unfortunately, it became apparent that the “Mail Recipients” role does not provide the “Send-as” permission but it does “Send-On-Behalf” which is provided by the Set-Mailbox cmdlet. The “Send-as” permission is handled by the Add-ADPermission cmdlet which isn’t present in the parent role.

Adding a cmdlet to a custom role which is derived from a parent, is not possible:

Add-ManagementRoleEntry "Mail Recipients No Quota\Add-ADPermissions"

The "Add-ADPermissions" management role entry wasn’t found on the "Mail Recipients" management role. Make sure you typed it correctly, and try again
    + CategoryInfo          : NotSpecified: (0:Int32) [Add-ManagementRoleEntry], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : EC9C100E,Microsoft.Exchange.Management.RbacTasks.AddManagementRoleEntry

You can only restrict from the parent role, not enhance permissions.

The next step I took was to create a custom Management role without a parent. This should be possible using New-ManagemenrRole with the –UnsScopedTopLevel. I tried this, but this happens:

New-ManagementRole -Name "Send-As Permission" –UnScopedTopLevel


A positional parameter cannot be found that accepts argument ‘-UnScopedTopLevel’.
    + CategoryInfo          : InvalidArgument: (:) [New-ManagementRole], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-ManagementRole

 

Which is weird as the article claims this should work, but even the example doesn’t work (not shown). The article is claiming to be valid for Exchange 2010 SP1 which my servers where… I left a note, perhaps Microsoft will clear this up.

I have resolved it by looking for a parent role which has the Add-ADPermission cmdlet in it. This is management role “Active Directory Permissions”. You can look which cmdlets (just the name) are in this role with Get-ManagementRoleEntry:

Get-ManagementRoleEntry "Active Directory Permissions\*"|ft Name

Name
—-
Write-AdminAuditLog
Remove-ADPermission
Get-User
Get-SecurityPrincipal
Get-RoleGroup
Get-Group
Get-DomainController
Get-ADPermission
Add-ADPermission

Most of these are not necessary, I only need Remove-ADPermission, Get-ADPermission and offcourse Add-ADPermission. You can delete the unwanted ones with Remove-ManagementRoleEntry after the custom management role has been made with a parent role:

New-ManagementRole "Mail Recipient AD Permissions" -Parent "Active Directory Permissions"

Remove-ManagementRoleEntry "Mail Recipient AD Permissions\Write-AdminAuditLog" -Confirm:$false
Remove-ManagementRoleEntry "Mail Recipient AD Permissions\Get-User" -Confirm:$false
Remove-ManagementRoleEntry "Mail Recipient AD Permissions\Get-SecurityPrincipal" -Confirm:$false
Remove-ManagementRoleEntry "Mail Recipient AD Permissions\Get-RoleGroup" -Confirm:$false
Remove-ManagementRoleEntry "Mail Recipient AD Permissions\Get-Group" -Confirm:$false
Remove-ManagementRoleEntry "Mail Recipient AD Permissions\Get-DomainController" -Confirm:$false

After these modifications I’ve added the Management role to the correct Management Role Group, added the correct security group as member and made the administrators member of this security group.

Now note that the ADPermissions are able to do more than just recipient management (AD permissions on receive connectors for instance). But in my specific case the administrators do not have any domain administrator rights or other permissions and is in this case safe to hand over those permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *