There are multiple ways to assign Recipient Administration permissions to the helpdesk users. Some of them are:
1. Add them to "Recipient Management" RoleGroup directly using Exchange Shell. This will assign them the two important Roles "Mail Recipients" and "Mail Recipient Creation"
2. Add them to "Recipient Management" Active Directory Group. This group is already added to the "Recipient Management" RoleGroup.
3. If you have a mixed environment (2007/2010) then the old "Exchange Recipient Administrators" group is already a member of "Recipient Management" group.
However the catch is that they still will not be able to give SendAs permissions to the users on shared mailboxes.
The cmdlet that is required to give SendAs permissions is Add-ADPermission. This cmdlet is available in "Active Directory Permissions" Role. Do not worry because this role has only the below cmdlets:
Remove-ADPermission
Get-User
Get-SecurityPrincipal
Get-RoleGroup
Get-Group
Get-DomainController
Get-ADPermission
Add-ADPermission
As you can see that all of them are Get cmdlets and only Remove-ADPermission and Add-ADPermissions cmdlets so it is safe to add Helpdesk to this Management Role. Further more the switches that can be used with the Add and Remove AD Permission cmdlet are also restricted.
Now you have identified the RoleGroup and the Role to be assigned to the helpdesk to enable them to give SendAs permissions also. One you have done this, you need to asign the Role to the RoleGroup. We will choose the built-in Role Group "Mail Recipients". I have chosen this RoleGroup because it already contains most of the Roles required by the heldpesk to perform Mail User management.
To assign a Role to a Role Group, we use New-ManagementRoleAssignement cmdlet. Here is the syntax in this case
New-ManagementRoleAssignment -Name "Active Directory Permissions-Recipient Management" -SecurityGroup "Recipient Managemen" -Role "Active Directory Permissions"
The standard naming convention for creating management Role Assignment is as above only.
Once you have done the above then the Recipient Managament Role Groups will have the following Roles assigned:
Distribution Groups
Mail Enabled Public Folders
Mail Recipient Creation
Mail Recipients
Message Tracking
Migration
Move Mailboxes
Recipient Policies
Active Directory Permissions
The last Role has been assigned by the New-ManagementRoleAssignment cmdlet above. This will enable the helpdesk to do the complete management of the recipients including granting SendAs permissions.
------------ End of Document ------------------------
Tags: Exchange Server, Power Shell
Published Date: 20100805
No comments:
Post a Comment