Tool Tip: RBAC Manager R2 for Exchange

RBAC (source: Microsoft) Reading Time: 2 minutes

This week I had a session at a customer to customize the default RBAC roles, for instance removing the mobile device remote wipe feature from Recipient Management.

Customizing RBAC roles is in most cases not something that is a frequent task, so it can take a while to familiarize and re-familiarize with the concept and all cmdlets. But if your organization does not fit in the default roles, you will have to dig into it.

However, I came across a tool that would make customizing a lot easier. It's the RBAC Manager R2 for Exchange. It's currently posted on Codeplex, including the source code (it's in C#). It states that it works with Exchange 2010, Exchange 2013 preview and Office 365. The last update was from September 2011, however I've found no issues working with Exchange 2013 CU5. Install it on a domain joined computer with .Net 3.5 and just enter a server FQDN and credentials and it works (in my case).

In the overview all Management Roles are presented, including any custom Role groups. Those with a parent are shown in an hierarchy. Selecting a Role Group, shows every Role Assignment, including scopes. Selecting a Management Role shows all inlcuded cmdlet. Tip: Under View>Show Parameter you can enable all parameters that are included in the Management Role. A lot easier than the PowerShell route I've previously blogged about here.


Overview of RBAC Manager R2, showing Management Roles, Role Assignments, included cmdlets and their paramters.

Another helpful feature is the ability to search for specific cmdlets, the tool then shows every Role Group with Management Roles that include that specific cmdlet. Very handy if you need to know which Role Groups provides a certain permission. This makes the tool valuable even if you do not require RBAC customization.

You can remove Management Roles from Role Groups, cmdlets from Management Roles but you can also remove specific parameters (after enabling the view of parameters). Create new Management Roles from a parent Role. I could do everything I needed to do without using the Exchange Management Shell. And the best part? It logs the actual Exchange PowerShell commands in a text log file for reference and documentation. Nice!

It's not a quick tool but this is just a minor irritation. It helps to provide an overview of the RBAC implementation and allows for quick editing and management of Exchange RBAC. For those that do not frequently work with RBAC and know all cmdlets and procedures by heart, this is a great addition in your tool set. I would love to see this kind of functionality added in EAC BTW.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.