5 Steps to Heaven – Creating a Custom RBAC Role in Exchange 2010

Posted by Mike Pfeiffer in Active Directory, email, Exchange, Exchange 2010, IT Professional on 30-04-2010

Tags: , , , ,

By now you’ve probably heard about Role Based Access Control (RBAC) in Exchange 2010, which introduces a completely different permission model than was used previously in Exchange 2007. Instead of assigning permissions using access control lists, RBAC uses management roles to delegate what you can do and where you can do it. Exchange provides several built-in roles used for typical management tasks, but in this post we’ll look at a real world example where a custom management role will be required.

RBAC Components

To get a basic understanding of how this is going to work, a quick description of the RBAC components used in the upcoming example will be helpful:

  • Management Role – this is just a container for a group of Exchange Management Shell cmdlets. For example, the Mail Recipient Creation role contains only the cmdlets required to view, create and delete recipients.
  • Management Role Entry – this is an Exchange Management Shell cmdlet or custom script. Management roles are made up of management role entries.
  • Management Role Group – this is an Active Directory universal security group that contains the user accounts that can be assigned to a role.
  • Management Role Scope – this can be used to filter the type of objects that can be managed, and where they can be managed in Active Directory.
  • Management Role Assignment – this links a management scope to a management role.


Let’s say that your company has decided that a group of support personnel should be responsible for the creation of all new Exchange recipients. You want to be very specific about what type of access this group will be granted, and you plan on implementing a custom management role based on the following requirements:

  • Support personnel should be able to create Exchange recipients in the Employee OU in Active Directory.
  • Support personnel should not be able to create Exchange recipients in any other OU in Active Directory.
  • Support personnel should not be able to remove recipients in the Employees OU, or any other OU in Active Directory.

Now that the requirements are clearly defined, we are ready to implement our custom management role.

Step 1: Create the Management Role

The built-in roles cannot be changed, so we need to create a new management role using one of the built-in roles as a parent. We know that the Mail Recipient Creation role provides the cmdlets that our support group will need, so we’ll create a new role as a child of the Mail Recipient Creation role using the following command:

New-ManagementRole -Name "Employee Recipient Creation" -Parent "Mail Recipient Creation"

Step 2: Modify the Management Role

One of the requirements in our scenario was that support personnel should not be able to remove recipients, so we need to edit our custom role and get rid of any cmdlets that can be used to remove recipients:

Get-ManagementRoleEntry "Employee Recipient Creation\*" | ?{$_.name -like "remove-*"} | Remove-ManagementRoleEntry -Confirm:$false

The above command will delete all of the Remove-* cmdlets from our custom role, and therefore will prevent users assigned to this role from removing recipient objects.

Step 3: Create the Management Scope

The next step is to create a management scope that defines where and what the support group has access to. We’ll use the following command to create our Employee management scope:

New-ManagementScope -Name Employees -RecipientRoot contoso.com/Employees -RecipientRestrictionFilter {(RecipientType -eq "UserMailbox") -or (RecipientType -eq "MailUser") -or (RecipientType -eq "MailContact")}

As you can see, we are specifying the recipient root as the Employees OU, per the requirements in our scenario. When specifying a RecipientRoot, we are also required to specify a RecipientRestrictionFilter which will be limited to the UserMailbox, MailUser and MailContact recipient types.

Step 4: Create the Management Role Group

Now we are ready to create our management role group. We’ll use the New-RoleGroup cmdlet to create the role group based on our custom role and management scope using the following command:

New-RoleGroup -Name Support -Roles "Employee Recipient Creation" -CustomRecipientWriteScope Employees -Members bjacobs,dgreen,jgordon

The above command creates a role group named support, which will create a universal security group in Active Directory in the Microsoft Exchange Security Groups OU. We configure the role to use the Employees scope that was created in the previous step, limiting access to the Employees OU. Also, notice that we added three users to this group using the Members parameter.

Doing it this way automatically creates the management role assignment for us. You can view management role assignments using the Get-ManagementRoleAssignment cmdlet.

Step 5: Verifying the Configuration

At this point our work is done and we can test the configuration to make sure it is working properly. There are several steps in creating a custom role, so the first couple of times you do this it will be useful to test the configuration to make sure everything works as expected.

Logged in as a member of the Support group, launch the Exchange Management Shell. We’ll execute the following commands to create a test mailbox in the Employees OU:

$password = ConvertTo-SecureString "P@ssw0rd01" -AsPlainText -Force

New-Mailbox -Name TestUser001 -UserPrincipalName TestUser001@contoso.com -Password $password -OrganizationalUnit contoso.com/Employees

As we can see, the above command completed successfully. Now let’s try to create a mail contact. We’ll use the New-MailContact cmdlet, omitting the OrganizationalUnit parameter:

New-MailContact -Name TestUser002 -ExternalEmailAddress TestUser002@corp.contoso.com

Without specifying an OrganizationalUnit, the command attempts to create the object in the default users container in Active Directory. We can tell from looking at the error output that our management scope is working since we are unable to create objects outside of the Employees OU.

Let’s verify that our role configuration is setup correctly by trying to use one of the Remove-* cmdlets. We’ll use the following command to remove the mailbox we created in the first step:

Remove-Mailbox TestUser001

As expected, we get an error stating that the Remove-Mailbox cmdlet cannot be found, since it is not part of the Employee Recipient Creation role.


Well, we created and tested a custom role in just 5 steps, and it was actually pretty easy to do. Once you understand the basics it’s not as hard as it seems at first glance. The TechNet documentation on RBAC is very thorough and I would highly recommend reading through it to learn more.

Comments (12)

Excellent Document :)

best RBAC tutorial so far on the net , easy to understand – helped me a log!


[...] Active Directory with Windows Powershell and Renewing an Expired certificate in Exchange 2007 to Creating a Custom RBAC Role in Exchange 2010 and Importing PST files into Exchange 2010. For this week’s post we wanted to do something a [...]

Tanks for explations – but how to limit Organization Admin to only see user from this ORG.
I have users in domain.dk/vejle and domain.dk/odense and a Organization admin in both ORG. How to limit seeing all useres and only users in Admin Organization


What Exchange build version you use?

Erwin, I have same problem… Any updates?

Pedro and Erwin-
Any luck limiting RBAC view to OU?

You are all very smart people!
I am an average IT guy managing 300-users infrastructure and have no time to learn these scripting thing. When is Microsoft coming up with a GUI version of RBAC?
Are we moving backward? Are we now going to use batch files and then code in binary language?
I feel like we are back at the atari age…
Very frustrated admin trying to learn my way from Exc 2003 to 2010.

[...] un role RBAC dédié, ceci afin de restreindre les droits de ce compte de service au niveau [...]


I have created multiple management scope, can I assign multiple management scope one role group

Like If I want to grant permission for one role group members on multiple OUs. How will I do that.


Excellent HOWTO.

Thanks a lot

Write a comment