Trouble using RBAC to change passwords and distribution groups

  • Thread starter vukovin
  • Start date Views 1,239
Status
Not open for further replies.
V

vukovin



We are hosting email for a number of school districts. We have an OU for every district and we want a local district tech coordinator to manage as much of there own system as possible. At least as much as they can do through ECP. The three big management issues are changing user passwords, distribution group membership and new distribution groups. Each user can change their own passwords but we want the tech coordinator to be able to reset their passwords too. Over the summer a lot of teachers will forget their passwords or the passwords will expire. So we want the local person to handle those resets. There is always turnover, so we want the tech coordinator to be able to add and edit distribution groups to meet their needs. We don't want the individual teachers joining or removing themselves from distribution groups.

That's the background. So I created new ManagementScopes to lock them into their own OU's. I created new RoleGroup's with roles and assigned them to their scopes. However, through the ECP I don't have the password reset option and the distribution group's are all view only, plus they can't add new ones. These are the commands I used, hopefully someone can see where I've gone wrong or what I've ommitted:

New-ManagementScope -Name "DistrictA Scope" -RecipientRoot "Company.org/Districts/DistrictA" -RecipientRestrictionFilter {(RecipientType -eq "DynamicDistributionGroup") -or (RecipientType -eq "UserMailbox") -or (RecipientType -eq "MailUser") -or (RecipientType -eq "MailContact") -or (RecipientType -eq "MailUniversalDistributionGroup") -or (RecipientType -eq "MailUniversalSecurityGroup") -or (RecipientType -eq "MailNonUniversalGroup")}

New-RoleGroup -Name "DistrictA Role Group" -Roles "Distribution Groups", "Legal Hold", "Mail Recipient Creation", "Mail Recipients", "Mail Tips", "Mailbox Import Export", "Mailbox Search", "Message Tracking", "User Options", "Security Group Creation and Membership" -Members joe.user -CustomRecipientWriteScope "DistrictA Scope"

I didn't use any custom management roles, because I'm not trying to back down their permissions, I'm trying to give them as much as possible. Microsoft's TechNet site lists ResetPassword as a ManagementRole but when I do a get-managementrole, it's not there! http://technet.microsoft.com/en-us/library/dd351125.aspx Was that removed? Lastly, it is possible yet to allow them to create or remove a user and mailbox through ECP?

Thanks a lot for the help!

Brian
 
B

busbar



1) I think that the best way to do password trick is from AD, you can delegate over each OU the admin account to reset password this will be fast and easy.

2) I think that new user trick is in SP1.

Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I and other MVPs post here: http://www.enowconsulting.com/ese/blog.asp Or follow my blog: http://busbar.blogspot.com or our corp blog: http://ingazat.wordpress.com and if you Liked my post please mark it as helpful and accept it as an asnwer
 
B

Brian Desmond -MVP-



Brian-

Did you also create Management Role Assignments and assign the relevant people here? As far as Reset Password goes, it's in the cloud version but AFAIK currently not in the on-premise edition.

Active Directory, 4th Edition - www.briandesmond.com/ad4/
 
V

vukovin



Thanks for the help,

I agree, delegating control in AD is an option. I was just hoping that I could have them do everything through ECP and keep them out of AD completely. Maybe I'm over simplifying the whole RBAC system...but I created a Role Group (with all those Roles assigned) and I used the Members switch to add members to that Role Group. Isn't that assignment enough? If the Role Group has the power assigned by the Roles and the group has members, do I still need to create a Management Role Assignment?

It amazes me Microsoft wouldn't all Reset Password. That's only the most common reason for help desk calls!
 
B

Brian Desmond -MVP-



Thanks for the help,

I agree, delegating control in AD is an option. I was just hoping that I could have them do everything through ECP and keep them out of AD completely. Maybe I'm over simplifying the whole RBAC system...but I created a Role Group (with all those Roles assigned) and I used the Members switch to add members to that Role Group. Isn't that assignment enough? If the Role Group has the power assigned by the Roles and the group has members, do I still need to create a Management Role Assignment?

It amazes me Microsoft wouldn't all Reset Password. That's only the most common reason for help desk calls!

Yes you need the assignment. Role groups don't have members in the classic sense like an AD group would.

Active Directory, 4th Edition - www.briandesmond.com/ad4/
 
V

vukovin

Brian, would you mind giving me an example of a Management Role Assignment related to my example?
 
V

vukovin



Ok, I've made some progress. The problem is not that I need to make another explicit Management Role Assignment. By creating the Role Group with the members, that did make the Management Role Assignment properly for me. The issue is scope. When I specify the CustomRecipientWriteScope the distribuiongroup access doesn't work...view only. If I remove it then I can add/edit distribution groups...but for the entire organization! But I want to limit them to just their own OU.

Any more ideas?
 
B

Bharani.Billapati



When you removed the scope are you able edit Distribution groups present in the OU to which you want to set the scope to?

Thanks

Bharani
 
V

vukovin



Yes. But if I remove the scope, I can create/edit distribution groups in the entire organization (not just their OU). But now that's too much power because they can edit groups that don't belong to them.

I also tried adding -RecipientOrganizationalUnitScope to the creation of the Role Group, but that gives me the same results as using -CustomRecipientWriteScope...meaning I can view distribution groups but can't create or edit them.
 
F

Frank.Wang



Hi,

Did you use EMC or EMS to create the distribution groups?

And what's the error message when you cannot create the distribution groups in the specified OU? ""OU isn't within a valid write scope"?

Please run the cmdlet Get-ManagementRoleAssignment "Distribution Groups-DistrictA Role Group" | fl

and post the results here.

Also suggest you create a new RoleGroup to test.

New-RoleGroup -Name "DistrictB Role Group" -Roles "Distribution Groups" -RecipientOrganizationalUnitScope "ou"

More information:

New-RoleGroup

http://technet.microsoft.com/en-us/library/dd638181.aspx

Frank Wang
 
V

vukovin



I tried to use Get-ManagementRoleAssignment "Distribution Groups-DistrictA Role Group" | fl, but I don't think that's proper syntax. So I used this to get the Role Assignments:


[PS] C:\Windows\system32>Get-rolegroup -identity "districtA role group" | fl

 

RunspaceId : ea371422-4363-463c-b08c-7f550222a40f

ManagedBy : {company.ORG/Users/administrator, company.ORG/Microsoft Exchange Security Groups/Organizat

ion Management}

RoleAssignments : {Active Directory Permissions-districtA Role Group, Migration-districtA Role Group, Distribution Grou

ps-districtA Role Group, Legal Hold-districtA Group, Mail Recipient Creation-districtA Group

, Mail Recipients-districtA Group, Mail Tips-districtA Role Group, Mailbox Import Export-district

a Role Group, Mailbox Search-districtA Role Group, Message Tracking-districtA Role Group, User Option

s-districtA Role Group, Security Group Creation and Membership-districtA Role Group}

Roles : {Active Directory Permissions, Migration, Distribution Groups, Legal Hold, Mail Recipient Creation,

Mail Recipients, Mail Tips, Mailbox Import Export, Mailbox Search, Message Tracking, User Options,

Security Group Creation and Membership}

DisplayName :

Members : {company.ORG/Districts/DistrictA/DistrictA Managers}

SamAccountName : districtA Role Group

Description :

RoleGroupType : Standard

LinkedGroup :

IsValid : True

ExchangeVersion : 0.10 (14.0.100.0)

Name : districtA Role Group

DistinguishedName : CN=districtA Role Group,OU=Microsoft Exchange Security Groups,DC=company,DC=ORG

Identity : company.ORG/Microsoft Exchange Security Groups/districtA Role Group

Guid : 80840955-1cd0-4371-ba39-c595f1db2fc0

ObjectCategory :company.ORG/Configuration/Schema/Group

ObjectClass : {top, group}

WhenChanged : 6/1/2010 3:06:17 PM

WhenCreated : 6/1/2010 3:06:14 PM

WhenChangedUTC : 6/1/2010 7:06:17 PM

WhenCreatedUTC : 6/1/2010 7:06:14 PM

OrganizationId :

OriginatingServer : server2.company.ORG

I don't get any errors when I try to create a distribution group in ECP...I don't even have the option to create one. If I take out the -RecipientOrganizationalUnitScope or -CustomRecipientWriteScope switches then I have the option to add groups and I can edit existing groups. But I can add/edit for the entire organization. The problem seems to be scope related. If I use an OU as the scope it doesn't work but if I take the scope switches out, everything works. Except I need to have the scope. I have tried adding additional Role Groups and they all function the same. I saw another thread on here talking about this same problem but there wasn't a solution there.

Any more ideas? From everyhting I've posted, am I doing something wrong?
 
F

Frank.Wang



Hi,

Using Get-ManagementRoleAssignment "Distribution Groups-DistrictA Role Group" | fl you can get the scope properties.

But after I review the question, I find you want to local district tech to manage distribution group in ECP ?

But I cannot understand "I don't get any errors when I try to create a distribution group in ECP...I don't even have the option to create one. " If you don't have the option to create distribution group , how you create one?

Anyhow, maybe we are going to wrong destination. If you want to manage distribution group in ECP, you should use Management Role Assignment Policies rather than Role Group.

The end user role group "MyDistributionGroups" can be used to manage distribution group in ECP. Also please note the scope applied by the assignment is based on the management role and is either Self or GAL. So I think you can not scope OU when you manage distribution group using ECP.

Please let your local district tech to manage distribution group using EMC or EMS.

Frank Wang
 
V

vukovin



Thanks Frank.

Yes, I want the local district techs to manage distribution groups in ECP.

If I leave out any scope assignments (-RecipientOrganizationalUnitScope or -CustomRecipientWriteScope) using the PS commands in my first post, then I can create/edit distribution groups just fine in ECP. But If I add scope assignment to those commands then the buttons in ECP to ADD or edit any aspect of an existing distribution group are gone. Using the scope seems to put ECP in a "read only" mode for distribution groups. I hope I'm explaining this better.

I may be approaching this wrong. Can you give me an example of how I can use Management Role Assignment Policies instead of Role Groups?

The local techs have no experience with EMC or EMS. I don't want them to get into something and cause more problems. I want to give them an easy way to manage simple Exchange tasks, like distribution groups and password resets. But these simple tasks are turning into not so simple.

I appreciate all your help and advice.

Brian
 
F

Frank.Wang



If I leave out any scope assignments (-RecipientOrganizationalUnitScope or -CustomRecipientWriteScope) using the PS commands in my first post, then I can create/edit distribution groups just fine in ECP. But If I add scope assignment to those commands then the buttons in ECP to ADD or edit any aspect of an existing distribution group are gone. Using the scope seems to put ECP in a "read only" mode for distribution groups. I hope I'm explaining this better.


Hi Brian,

I find one document addressed this issue:

"ECP does not handle RBAC administrator scopes well. If an admin has been set up to only be allowed to modify a portion of the organization"s users, the Mailboxes UI slab becomes Read-Only and the administrator cannot modify mailbox properties."

I guess it is also suit to distribution groups.

And this is an example using Role Assignment Policy .

1, create a custom Role Assignment Policy

2, add MyBaseOptions, MyDistributionGroups role to the policy.

3, set the local district techs mailbox to using custom Role Assignment Policy.

After that, you will get a slab named "Public Groups I own" using ECP.

But there is a limitation: you can only manage the groups you created.

So I think you have to focus on EMC or EMS at this moment.

Frank Wang
 
V

vukovin

Thanks Frank, I appreciate all your help. I'll look at the Role Assignment Policy and see how that goes. Hopefully SP1 will address some of these limitations.
 
V

vukovin

SP1 fixed everything! All my commands from above work perfectly now that SP1 is applied. Nothing like banging your head against a wall because MS doesn't implement functionality that's supposed to be there!
 
N

Niels Chr Dk



You say SP1 solved your isue - does that mean you mangers are now able to change the users password through ECP ?

I have almost the same need as you - 3' party need to manage a potion af my users - mainly reset password og re-open a account, and I would like to avoid VPN or any thing like that giving AD direct access.
 
Status
Not open for further replies.
Top