IT tutorials
 
Applications Server
 

Microsoft Exchange Server 2013 : Role assignment (part 3) - Database scoping, Special roles

3/21/2014 9:41:09 PM
- Windows 10 Product Activation Keys Free 2019
- How to active Windows 8 without product key
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

4. Database scoping

To create a database scope, define a new management scope based on a database list or a database filter. A database list contains the names of specific databases separated by commas and is an appropriate scope when you need to assign management responsibility to a fixed set of databases that you don’t think will change often. For example, this command creates a database scope that is limited to two named databases:

New-ManagementScope –Name 'CEO Databases' –DatabaseList 'CEO-Database1, CEO-StaffDatabase'

A database filter establishes a condition that Exchange can use to identify a set of databases. This is the most appropriate choice when you want a scope that is flexible enough to accommodate a changing set of databases, assuming that you can create a filter that identifies the databases. This example creates a filter that selects databases with a name that matches a prefix of DUB-:

New-ManagementScope –Name 'Dublin Databases' –DatabaseRestrictionFilter {Name –Like 'DUB-*'}

Inside Out Using database names to create filters

Names are likely to be the basis for most database filters, but you can create filters based on other properties, including the database description. Filters that are not based on the database name (for example, those that use properties such as the database description or distinguished name) require a certain discipline in maintaining those properties; else, the scope is unlikely to locate the desired databases. See the “Understanding Management Role Scope Filters” section in the Exchange Help file for a full list of the supported properties that can be included in database filters.

When you create a database scope, you permit access to the cmdlets that manipulate databases, such as Set-MailboxDatabaseCopy. However, you have to be careful not to overlap server scopes because some operations are permitted by either a database or a server scope, and some depend on a specific scope. For example, a database scope controls the ability to create a new mailbox with the New-Mailbox cmdlet or to move a mailbox with New-MoveRequest if the target database falls under its scope. This is logical because a server scope cannot apply in this case—databases are not tied to servers.

5. Special roles

The list of roles included in the Organization Management role group includes the following five special roles that have to be delegated before they can be used:

  • Application Impersonation. This is a special-purpose role intended primarily for use by Service Accounts that need to take on the persona of a user to accomplish a task. Because the impersonate role allows access to the data held inside user mailboxes, its use has to be carefully controlled.

  • Mailbox Import Export. This role allows a user to import data into or export data from a mailbox. This is another role whose allocation needs to be controlled on an as-needed basis.

  • Mailbox Search. This role allows a user to search mailbox contents. The role is assigned to the Discovery Management role group, but the role group has no default members and needs to be populated before searches can be performed.

  • Support Diagnostics. This role allows access to diagnostics cmdlets such as Test-ReplicationHealth that are intended for use by Microsoft or other support personnel to retrieve diagnostic information from an Exchange server or organization. The role is not assigned to any user by default.

  • Unscoped Role Management. This role permits unscoped roles to be created and managed. Unscoped roles authorize access to custom scripts and cmdlets. The role is not assigned to any user by default, but it can be delegated to users by holders of the Organization Management role.

These are called delegated role assignments. The members of the Organization Management role group have the right to delegate the roles to users, but they do not have the right to use the role themselves unless they delegate the role to themselves.

The inclusion of the Mailbox Import Export role in this list might be surprising, but it is entirely justified if you consider that you probably want to control the ability to import or export mailbox data on an as-needed basis. No one wants to run the risk that a user might be inadvertently given the ability to export mailbox data belonging to another user. When this access is required, you can assign it to a user who needs the role as follows:

New-ManagementRoleAssignment –Role 'Mailbox Import Export' –User 'Darren.Parker@contoso.com'

It might be more convenient to assign the role to a distribution group because it is often easier to maintain membership of a group than to perform individual role assignments. The group has to be a USG rather than a universal distribution group or a dynamic distribution group.

New-ManagementRoleAssignment –Role 'Mailbox Import Export' –SecurityGroup 'Mailbox Import-Export Team'

After the role is assigned, assignees can use the Export and Import mailbox options in EAC and the underlying New-MailboxImportRequest and New-MailboxExportRequest cmdlets in EMS. Users must restart EAC/EMS after they have been assigned the role to force a refresh of the RBAC data and allow the new assignment to become effective.

 
Others
 
- Microsoft Exchange Server 2013 : Role assignment (part 2) - Creating roles for specific tasks, Specific scopes for role groups
- Microsoft Exchange Server 2013 : Role assignment (part 1) - Using role assignment policy to limit access
- Microsoft Exchange Server 2013 : Role group management
- Configuring Active Directory Server Roles : Administering Active Directory - Creating OUs
- Configuring Active Directory Server Roles : Administering Active Directory - Planning the OU Structure (part 2) - Delegating Administrative Control
- Configuring Active Directory Server Roles : Administering Active Directory - Planning the OU Structure (part 1) - Logical Grouping of Resources
- Configuring Active Directory Server Roles : Administering Active Directory - An Overview of OUs
- Configuring Active Directory Server Roles : Active Directory Rights Management Services
- Microsoft Lync Server 2013 : Mediation Server Troubleshooting (part 2) - Synthetic Transactions, Telnet
- Microsoft Lync Server 2013 : Mediation Server Troubleshooting (part 1)
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS