Export (0) Print
Expand All
5 out of 8 rated this helpful - Rate this topic

Exchange and Shell Infrastructure Permissions

 

Applies to: Exchange Server 2013

Topic Last Modified: 2014-02-24

The permissions required to perform tasks to configure various components of Microsoft Exchange Server 2013 depend on the procedure being performed or the cmdlet you want to run. See each of the sections in this topic for more information about their respective features.

To find out what permissions you need to perform the procedure or run the cmdlet, do the following:

  1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet you want to run.

  2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an equivalent custom role group, or an equivalent management role. You can also click on a role group to see its management roles. If a feature lists more than one role group, you only need to be assigned one of the role groups to use the feature. For more information about role groups and management roles, see Understanding Role Based Access Control.

  3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles assigned to you to see if you have the permissions that are necessary to manage the feature.

    NoteNote:
    You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange administrator to retrieve the role groups or management roles assigned to you.

If you want to delegate the ability to manage a feature to another user, see Delegate Role Assignments.

NoteNote:
Some features may require that you have local administrator permissions on the server you want to manage. To manage these features, you must be a member of the Local Administrators group on that server.

The following table lists the permissions required to perform tasks that configure general Exchange 2013 settings.

Users who are assigned the View-Only Management role group can view the configuration of the features in the following table. For more information, see View-Only Organization Management.

 

Feature Permissions required

Administrator audit logging

Organization Management

Records Management

Exchange Administration Center configuration settings

View-Only Organization Management

Exchange Administration Center connectivity

Organization Management

Server Management

Exchange server configuration settings

Organization Management

Server Management

Exchange Help settings

Organization Management

Message categories

Organization Management

Hygiene Management

Recipient Management

Help Desk

Product key

Organization Management

Test system health

Organization Management

Server Management

View-only administrator audit logging

Organization Management

Records Management

NoteNote:
You can also manually assign the View-Only Audit Logs management role to a management role group. For more information, see View-Only Audit Logs Role.

Write to audit log

Users that are members of any role group or assigned any management role can write to the administrator audit log.

The following table lists the permissions required to perform tasks that configure features that control how the Exchange Management Shell runs.

Users who are assigned the View-Only Management role group can view the configuration of the features in the following table. For more information, see View-Only Organization Management.

 

Feature Permissions required

Active Directory Domain Services server settings

Organization Management

Server Management

Recipient Management

UM Management

Cmdlet extension agents

Organization Management

PowerShell virtual directories

Organization Management

Server Management

PowerShell and WinRM installation

Local Server Administrator

Remote Shell

Organization Management

The following table lists permissions required for performing tasks related to federation trusts, OAuth configuration, certificate management, and hybrid deployment configuration.

Users who are assigned the View-Only Management role group can view the configuration of the features in the following table. For more information, see View-Only Organization Management.

 

Feature Permissions required

Certificate management

Organization Management

Server Management

Federation trusts, OAuth

Organization Management

Test federation trusts, OAuth

Organization Management

View-Only Organization Management

Server Management

Hybrid deployment configuration

Organization Management

Intra-Organization connectors

Organization Management

Recipient Management

Records Management

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.