Develop skills to prepare for installing, configuring and performing ongoing maintenance of a Microsoft Exchange Server 2013 infrastructure. Help prepare for certification exam 70-341. Learn best practices.

2. RBAC Role Groups
Role Based Access Control (RBAC) lets you
control what administrators and users can do
in your Exchange organization.
The RBAC consist of the following
components:
◦ Management role group The management role
group maps to a universal security group (USG)
in Active Directory, and users or the
administrator can be members of these security
groups.
Active Directory Users
and Computers
Exchange Admin Center 
permissions  admin roles

3. RBAC Roles and Role Assignment
◦ Management roles Management roles are assigned to a management role group. A management role is a
container for grouping management role entries. A management role entry can be a cmdlet or a script, so
management role entries in a management role determine what an administrator or user can do.
◦ Management role assignment A management role assignment is the linchpin between a management role
and a management role group.

4. RBAC Scope Management
Management role scope A management role scope determines where the management role
assignment is actually active—that is, where the user or administrator can perform his or her
tasks.
◦ The scope is not limited using the “Default” but is easily limited to a specific OU in the EAC.

5. RBAC Scope: Limiting to Servers
You can limit the scope of a management role assignment to specific servers in your
organization. For instance the following cmdlet creates a scope limited to two specific Exchange
servers:

6. RBAC Scope: Limiting to an AD Site
The following cmdlet will create a management scope limiting the management role to a specific
Active Directory site:

7. RBAC Creating an Exclusive Scope
When the exclusive scope is created, all users are immediately blocked from modifying the
recipients that match the exclusive scope until the scope is associated with a management role
assignment. If other role assignments are associated with other exclusive scopes that match the
same recipients, those assignments can still modify the recipients.
This example creates the Protected Exec Users exclusive scope. Users that contain the string
"VP" in their title match the recipient filter for the scope. This scope will not be displayed in EAC.

8. RBAC Applying an Exclusive Scope
The exclusive scope is then associated with a management role assignment that assigns the Mail
Recipients management role to the Executive Administrators role group. This role group contains
administrators who are allowed to modify the mailboxes of high-profile executives. Only the
administrators of the Executive Administrators role group can modify users with the string "VP"
in their title.
Create the universal security group “Executive Administrators”:

9. RBAC Viewing Exclusive Scopes
Be aware that scopes that can be “selected” for association with a role group are displayed in
EAC. However, scopes that match recipients, servers, or sites based on a filter do not. It’s
important to be familiar with the EMS as you can often retrieve information not otherwise
available.
Shown below the EAC still displays two of the three scopes that have been created whereas the
EMS will show all scopes.

10. RBAC Role Entry
Management role entry A management role entry determines what the management role
group (i.e., user or USG) can do and what cmdlets are available to the management role group.
◦ New management role entries can only be made to custom management roles.
◦ Only managed using EMS
First get a listing of management roles using Get-ManagementRole then get a listing of all
associated management role entries using the cmdlet below (where Exchange Servers is a
management role):

11. RBAC
Together these components in RBAC
determine "who” can do "what" management
functions and "where" in Active Directory this
management can be done.

12. Role Groups
There are 12 default
management role groups.
To grant permission to a user it is
simply a matter of adding their
account to the appropriate role
group.

13. Question: RBAC cmdlet
Your company has an Exchange 2013 organization. The users in the Moncton office no longer
should be able to manage their voice mail options. The MyVoicemail management role allows
users to manage their voice mail options. You need to remove the MyVoicemail management
role from the MonctonUsers assignment policy.
Answer:
Get-ManagementRoleAssignment -RoleAssignee ”MonctonUsers" -Role
MyVoicemail | Remove-ManagementRoleAssignment

14. Default Role Assignment Policy
This role assignment policy is assigned to all users by default, and it ensures that the users can
manage their own properties.

15. OWA Policies
Control options available to users within Outlook Web App.

16. References
Microsoft TechNet. Manage Role Groups
https://technet.microsoft.com/en-us/library/jj657480(v=exchg.150).aspx
Microsoft TechNet. New-ManagementScope
https://technet.microsoft.com/en-us/library/dd335137%28v=exchg.150%29.aspx