Role Based Access Control in Exchange 2013

Posted: September 1, 2015 in Exchange

Role Based Access Control (RBAC) was first introduced in Exchange 2010 as a way to give an excange administrator granular control over Exchange Server,in other words what privileges administrator has.RBAC consists of four “modules” which,combined together form a permission model that forms level of access to Exchage features:

Management Role scope “Where” does something applies (OU,user,group)

Management role “What” actions (cmdlets-expressed via Management Role Entries) we want to apply to user

Management role group “Who” can execute cmdlets (Powershell commands) specified in Management Role entries

Management role assignment binds users to actions that we want to assign to them

In this example i’ll remove administrator right to create new mailbox database

First,we need to identify existing managementrole  contains new-mailboxdatabase cmdlets

[PS] C:\Users\administrator.JA\Desktop>get-managementrole "databases" | fl description


To make sure,review powershell commands covered by “database” managementrole:

[PS] C:\Users\administrator.JA\Desktop>get-managementroleentry "databases\*" | fl


In case you wonder why i didn’t use “databases*” instead “databases\*”:


We will use “databases” roleentry as a base for our own,named “prohibit database creation” management entry (“What” cmdlets are allowed to run):

[PS] C:\Users\administrator.JA\Desktop>New-ManagementRole "prohibit database creation" -Parent "databases"

To make sure it contains needed powershell commands:


Because we want to remove new-mailboxdatabase cmdlet,we need to remove it from our newly created entry

[PS] C:\Users\administrator.JA\Desktop>remove-ManagementRoleEntry "prohibit database creation\new-mailboxdatabase" -Confirm:$false

Check again to see that new-mailboxdatabase was removed from “prohibit database creation” managemententry:

[PS] C:\Users\administrator.JA\Desktop>Get-ManagementRoleEntry "prohibit database creation\*" | ft


I created OU for admins who will have cmdlets assigned from “prohibit database creation” entry,and created administrator named test and put him to OU

C:\Documents and Settings\Administrator>dsadd ou ou="fake exchange admins",dc=ja,dc=com

We need now to create role group (“Who“) can perform cmdlets specified in “prohibit database creation” managemententry,

and where (OU “fake exchange admins”)

[PS] C:\Users\administrator.JA\Desktop>new-rolegroup "no database creation allowed" -Roles "prohibit database creation" -RecipientOrganizationalUnitScope " exchange admins"
[PS] C:\Users\administrator.JA\Desktop>add-rolegroupmember "no database creation allowed" -member test

New rolegroup “no database creation allowed” was created and assigned our managementroleentry,and rolegroup is bound to OU “fake exchange admins”

Rolegroup can be created using ECP:

Permissions-Admin roles,”+” sign:



Now i logged admin test and tried to run new-mailboxdatabase cmdlet:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s