Configure Exchange 2010 for Split Permissions

Applies to: Exchange Server 2010

Split permissions enable two separate groups, such as Active Directory administrators and Microsoft Exchange Server 2010 administrators to manage their respective services, objects, and attributes. Active Directory administrators manage security principals, such as users, that provide permissions to access an Active Directory forest. Exchange administrators manage the Exchange-related attributes on Active Directory objects and Exchange-specific object creation and management.

For more information about shared and split permissions, see Understanding Split Permissions.

You can configure your Exchange 2010 organization for split permissions. When you are done, only Active Directory administrators will be able to create Active Directory security principals. This means that Exchange administrators won't be able to use the following cmdlets:

  • New-Mailbox
  • New-MailUser
  • New-MailContact
  • New-LinkedUser
  • Remove-Mailbox
  • Remove-MailUser
  • Remove-MailContact
  • Remove-LinkedUser
  • Add-MailboxPermission
  • Add-MailboxFolderPermission

Exchange administrators will only be able to manage the Exchange attributes on existing Active Directory security principals. They will, however, be able to create and manage Exchange-specific objects, such as transport rules and distribution groups.

For more information about management role groups, management roles, and regular and delegating management role assignments, see the following topics:

Looking for other management tasks related to permissions? Check out Managing Advanced Permissions.

Use the Shell to configure Exchange 2010 for split permissions

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note

You can't use the EMC to configure split permissions.

To configure Exchange 2010 for split permissions, you must assign the Mail Recipient Creation role and the Security Group Creation and Membership role to a role group that contains members that are Active Directory administrators. You must then remove the assignments between those roles and any role group or universal security group (USG) that contains Exchange administrators.

To configure split permissions, do the following:

  1. Create a role group for the Active Directory administrators. In addition to creating the role group, the command creates regular role assignments between the new role group and the Mail Recipient Creation role and the Security Group Creation and Membership role.

    New-RoleGroup "Active Directory Administrators" -Roles "Mail Recipient Creation", "Security Group Creation and Management"
    
  2. Create a delegating role assignment between the new role group and the Mail Recipient Creation role using the following command.

    New-ManagementRoleAssignment "Mail Recipient Creation_AD Administrators_Delegating" -Role "Mail Recipient Creation" -SecurityGroup "Active Directory Administrators" -Delegating
    
  3. Create a delegating role assignment between the new role group and the Security Group Creation and Membership role using the following command.

    New-ManagementRoleAssignment "Security Group Creation and Membership_Org Mgmt_Delegating" -Role "Mail Recipient Creation" -SecurityGroup "Active Directory Administrators" -Delegating
    
  4. Add members to the new role group using the following command.

    Add-RoleGroupMember "Active Directory Administrators" -Member <user to add>
    
  5. Replace the delegate list on the new role group so that only members of the role group can add or remove members.

    Set-RoleGroup "Active Directory Administrators" -ManagedBy "Active Directory Administrators"
    

    Important

    Members of the Organization Management role group, or those who are assigned the Role Management role, either directly or through another role group or USG, can bypass this delegate security check. If you want to prevent any Exchange administrator from adding himself or herself to the new role group, you must remove the role assignment between the Role Management role and any Exchange administrator and assign it to another group.

  6. Find all of the regular and delegating role assignments to the Mail Recipient Creation role using the following command.

    Get-ManagementRoleAssignment -Role "Mail Recipient Creation"
    
  7. Remove all of the regular and delegating role assignments to the Mail Recipient Creation role that aren't associated with the new role group or any other role groups, USGs, or direct assignments you want to keep using the following command.

    Remove-ManagementRoleAssignment <Mail Recipient Creation role assignment to remove>
    
  8. Find all of the regular and delegating role assignments to the Security Group Creation and Management role using the following command.

    Get-ManagementRoleAssignment -Role "Security Group Creation and Management"
    
  9. Remove all of the regular and delegating role assignments to the Security Group Creation and Management role that aren't associated with the new role group or any other role groups, USGs, or direct assignments you want to keep using the following command.

    Remove-ManagementRoleAssignment <Security Group Creation and Management role assignment to remove>
    

For detailed syntax and parameter information, see the following topics: