See my other post if you want a basic introduction to RBAC. In this post you will learn how to scope UK admins so they can manage only users in “their” OU and “their” Exchange database.
Sure, you could just scope on OU, but then an admin would be able to create mailboxes on ANY database and it’s pretty common that you want to keep all their mailboxes on one DB. You will need SP1 to be able to perform this.
Step 1. Create a management scope.
Just keep adding each DB to the list:
New-ManagementScope “UKDBs” -DatabaseList “UKDB-01″,”UKDB-02”
Or maybe you want to delegate on a display name filter instead?
New-ManagementScope “UKDBs” -DatabaseRestrictionFilter {Name -like “UKDB-*”}
Step 2. Create a role group
The new RoleGroup will get the same roles as the built-in role “Recipient Management” and it will be scoped to the DBs and a specific OU:
$RG = Get-RoleGroup “Recipient Management”
New-RoleGroup “UK Recipient Management” -Roles $RG.Roles -CustomConfigWriteScope UKDBs -RecipientOrganizationalUnitScope domain.local/Users/UK
Done! One very neat thing is that when creating mailboxes, you might notice that the wizard has the option to let the admin select which DB the mailbox will be created on? Well, by implementing above, the admin doesn’t need to know the name of their DB. Exchange will automatically select a databse the admin has rights to when creating a new mailbox.
Notes
You might want to know what roles the built-in “Recipient Management” has? Easy!
Get-RoleGroup “Recipient Management” | fl Roles
You will see a bunch… You might wonder, what does the “Migration” actually allow?
Get-ManagementRole “Migration” | fl RoleEntries
Not very pretty so a better view would be:
Get-ManagementRoleEntry “Migration\*” | ft -AutoSize -Wrap
Some role entries are many rows so it might look overwhelming but you only want to see some of them? Here’s an example how to see just what the admin can do when it comes to ActiveSync on Mailbox Recipients role:
Get-ManagementRoleEntry “Mail Recipients\*ActiveSync*” | ft -AutoSize -Wrap
 
					


