Configure Exchange 2010 for Shared Permissions

  • Article

Applies to: Exchange Server 2010

Shared permissions enable you, as an Exchange Server 2010 administrator, to create Active Directory security principals, such as users, and then configure them as Exchange recipients. Unlike split permissions, which separate management tasks between groups of Exchange administrators and Active Directory administrators, there's no separation of tasks with shared permissions.

For more information about shared and split permissions, see Understanding Split Permissions.

You can configure your Exchange 2010 organization for shared permissions if you've previously set your organization for split permissions. If you've never configured your organization for split permissions, you don't need to perform this procedure. Exchange 2010 is configured for shared permissions by default.

For more information about management role groups, management roles, and regular and delegating management role assignments, see the following topics:

Looking for other management tasks related to permissions? Check out Managing Advanced Permissions.

Prerequisites

  • The Exchange 2010 organization must currently be configured for split permissions.
  • You must have permissions to delegate the Mail Recipient Creation management role and the Security Group Creation and Membership management role to the Organization Management management role group or another role group that's assigned the Mail Recipients role.

Use the Shell to configure Exchange 2010 for shared permissions

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Role groups" entry in the Role Management Permissions topic.

Note

You can't use the EMC to configure shared permissions.

To configure Exchange 2010 for shared permissions, you must assign the Mail Recipient Creation role and the Security Group Creation and Membership role to a role group that's also assigned the Mail Recipients role and has Exchange 2010 administrators as members. In the default shared permissions configuration, the Organization Management role group contains each of these roles. Because of this, the Organization Management role group is in this procedure.

Configure Shared Permissions

To configure shared permissions on the Organization Management role group, do the following using an account that has permissions to delegate role assignments for the Mail Recipient Creation role and the Security Group Creation and Membership role:

  1. Add a delegating role assignment for the Mail Recipient Creation role to the Organization Management role group using the following command.

    New-ManagementRoleAssignment "Mail Recipient Creation_Organization Management_Delegating" -Role "Mail Recipient Creation" -SecurityGroup "Organization Management" -Delegating

  2. Add a regular role assignment for the Mail Recipient Creation role to the Organization Management role group using the following command.

    New-ManagementRoleAssignment "Mail Recipient Creation_Organization Management_Delegating" -Role "Mail Recipient Creation" -SecurityGroup "Organization Management"

  3. Add a delegating role assignment for the Security Group Creation and Membership role to the Organization Management role group using the following command.

    New-ManagementRoleAssignment "Security Group Creation and Membership_Org Management_Delegating" -Role "Mail Recipient Creation" -SecurityGroup "Organization Management" -Delegating

  4. Add a regular role assignment for the Security Group Creation and Membership role to the Organization Management role group using the following command.

    New-ManagementRoleAssignment "Security Group Creation and Membership_Org Management_Delegating" -Role "Mail Recipient Creation" -SecurityGroup "Organization Management"

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

Remove Permissions from Active Directory Administrators (Optional)

You can optionally remove the permissions granted to Active Directory administrators if you no longer want them to be able to create or manage Active Directory objects using the Exchange management tools. If you want to do this, perform this procedure.

Note

Although you can remove permissions for Active Directory administrators to manage Active Directory objects using the Exchange management tools, Active Directory administrators can continue to manage Active Directory objects using Active Directory management tools, if their Active Directory permissions allow it. They won't, however, be able to manage Exchange-specific attributes on Active Directory objects. For more information, see Understanding Split Permissions.

To remove Exchange-related split permissions from Active Directory administrators, do the following:

  1. Find the regular and delegating role assignments that assign the Mail Recipient Creation role to the role group or universal security group (USG) that contains the Active Directory administrators as members using the following command.

    Get-ManagementRoleAssignment -Role "Mail Recipient Management" -RoleAssignee <role group or USG name>

  2. Find the regular and delegating role assignments that assign the Security Group Creation and Membership role to the role group or USG that contains the Active Directory administrators as members using the following command.

    Get-ManagementRoleAssignment -Role "Security Group Creation and Membership" -RoleAssignee <role group or USG name>

  3. Remove the regular and delegating role assignments between the Mail Recipient Creation role and the role group or USG that contains the Active Directory administrators using the following commands.

    Remove-ManagementRoleAssignment <Mail Recipient Creation delegating assignment name>
Remove-ManagementRoleAssignment <Mail Recipient Creation regular assignment name>

  4. Remove the regular and delegating role assignments between the Security Group Creation and Membership role and the role group or USG that contains the Active Directory administrators using the following commands.

    Remove-ManagementRoleAssignment <Security Group Creation and Membership delegating assignment name>
Remove-ManagementRoleAssignment <Security Group Creation and Membership regular assignment name>

  5. Optional. If you want to remove all Exchange permissions from the Active Directory administrators, you can remove the role group or USG in which they're members. For more information about how to remove a role group, see Remove a Role Group.

For detailed syntax and parameter information, see Get-ManagementRoleAssignment or Remove-ManagementRoleAssignment.