Tuesday, July 1, 2014

Playing with RBAC and Roles


Hi folks,

Today let me share my experience with creating and managing role groups. RBAC is a very good security engine in Exchange 2010 and 2013 to manage administrative access by providing to administrative users only rights necessary for them to perform on the daily basis. In couple words a user is limited to a number of PowerShell commands he or she may execute or to certain sections in EMC or EAC he or she may access. I will not go into many details about this as you can read this article nicely provided in Technet.

In my case I was using standard roles created by Exchange 2010 by default with no customization which I was assigning to the newly created role groups.

Below commands are used to manage role groups and assignments.

First of all we create a role group (let's say for Level 1 engineers)

New-RoleGroup Level1



After this we assign role to a group. The following command allows to do it one-by-one

New-ManagementRoleAssignment -SecurityGroup Level1 -Role "Message Tracking"




We can check if rules were successfully assigned to this group:

Get-RoleGroup IPsoft-L1 |fl Roles

The above commands are quite simple and straightforward. Let me share one case when I needed to mimic one role group configuration between lab and production environment (which should be a normal case for any messaging environment and not only messaging).

For the sake of this article let's call this group Level3 as it will be serving admin needs of level 3 IT engineers to whom I don't want to assign Organization Management permissions.

First I have checked all roles assigned to the role group created in the lab:

Get-ManagementRoleAssignment -RoleAssignee Level3 |select Role,RoleAssigneeName

RoleAssigneeName corresponds to a user or a group to which a particular role is assigned. Of course as output of this command I will get the name of the same group assigned to it, but in the next step you will see how I used this to easily recreate this role in my production environment.

I used the same command, however instead of outputting it to screen I have exported results into a CSV file like below:

Get-ManagementRoleAssignment -RoleAssignee Level3 |select Role,RoleAssigneeName |Export-Csv D:\Software\Roles-i3.csv

I have ended up with the output like below:

As you can see I have 2 columns named after attributes I have exported Role,RoleAssigneeName . I will use them in the next command as parameters for -SecurityGroup and -Role.

As you can guess, I had imported username into pipeline and executed ManagementRoleAssignment against each of them with the parameters mentioned above.

Import-Csv .\Roles-i3.csv |foreach {New-ManagementRoleAssignment -SecurityGroup $_.RoleAssigneeName -Role $_.Role}

This simple command is used to add a users into a role group one-by-one:

Add-RoleGroupMember Level3 -Member "Farhad Mahmudov"

If we go back to my previous example of transferring role group between test lab and the production environment, I will show you some magic that I have done in my environment to import mailboxes from lab to production (provided your AD environment in the target environment is not populated as it was in my case)

First, I have extracted group members in my lab with the necessary details and exported detailes necessary for further mailboxes provisioning to CSV file:

Get-RoleGroupMember Level3 |Get-User |select Name,DisplayName,SamAccountName,UserPrincipalName | export-csv D:\Software\Level3.csv

I have transferred CSV file into my production environment and there provisioned mailboxes (please ensure that there are no trailing spaces after name or display name, otherwise you will have some grief of cleaning this out of CSV file). Please note that here I was using standard password for eevery admin which they were required to reset afterwards for security reasons.

$Password = Read-Host "Enter Users Password" -AsSecureString

Import-Csv C:\Scripts\Level3.csv |foreach {New-Mailbox -Name $_.Name -SamAccountName $_.SamAccountName -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -Password $Password}

Then I ran this code to simply check if users and mailboxes are created:

Import-Csv .\Level3.csv |foreach {Get-User $_.Name}

As you can guess mailboxes creation was successful. Finally, after that I ran Add-RoleGroupRoleMember command against each user of imported CSV file to add them to this group as members:

Import-Csv .\Level3.csv |foreach {Add-RoleGroupMember Level3 -Member $_.Name}

I hope this will be very beneficial in your daily messaging management.