About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2010/09/01

Default Exchange 2010 RBAC groups

I had to look this up the other day – and I did not think it was all that easy to figure, so I made up this little table so I could get my head around the DEFAULT RBAC groups.  Keep in mind that the base recommendation is to create your own groups to match your specific requirements.  This table illustrates the what comes OOBE and represents some great starting points for understanding what is going on under the hood with RBAC.

Built-in RBAC Group

Functionality

Default assigned roles

Default Members

Delegated Setup

Members of this management role group have permissions to install and uninstall Exchange on provisioned servers. This role group shouldn't be deleted.

View-Only Configuration

None

Discovery Management

Members of this management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.

Legal Hold

Mailbox Search

None

Help Desk

Members of this management role group can view and manage the configuration for individual recipients and view recipients in an Exchange organization. Members of this role group can only manage the configuration each user can manage on his or her own mailbox. Additional permissions can be added by assigning additional management roles to this role group.

User Options

View-Only Recipients

None

Hygiene Management

Members of this management role group can manage Exchange anti-spam features and grant permissions for antivirus products to integrate with Exchange.

Application Impersonation

Receive Connectors

Transport Agents

Transport Hygiene

View-Only Configuration

View-Only Recipients

 

FQDN of server

Public Folder Management

Members of this management role group can manage public folders. Members can create and delete public folders and manage public folder settings such as replicas, quotas, age limits, and permissions as well as mail-enable and mail-disable public folders.

Mail Enabled Public Folders

Public Folders

Exchange Public Folder Administrators

Recipient Management

Members of this management role group have rights to create, manage, and remove Exchange recipient objects in the Exchange organization.

Distribution Groups

Mail Enabled Public Folders

Mail Recipient Creation

Mail Recipients

Message Tracking

Migration

Move Mailboxes

Recipient Policies

Exchange Recipient Administrators

Records Management

Members of this management role group can configure compliance features such as retention policy tags, message classifications, transport rules, and more.

Audit Logs

Journaling

Message Tracking

Retention Management

Transport Rules

None

Server Management

Members of this management role group have permissions to manage all Exchange servers within the Exchange organization, but members don't have permissions to perform operations that have global impact in the Exchange organization.

Database Copies

Databases

Exchange Connectors

Exchange Server Certificates

Exchange Servers

Exchange Virtual Directories

Monitoring

POP3 And IMAP4 Protocols

Receive Connectors

Transport Queues

None

UM Management

Members of this management role group can manage Unified Messaging organization, server, and recipient configuration.

UM Mailboxes

UM Prompts

Unified Messaging

None

View-Only Organization Management

Members of this management role group can view recipient and configuration objects and their properties in the Exchange organization.

Monitoring

View-Only Configuration

View-Only Recipients

Exchange View-Only Administrators

Organization Management

Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group shouldn't be deleted.

Active Directory Permissions, Address List, Audit Logs, Cmdlet Extension Agents, Database Availability Groups, Database Copies, Databases, Disaster Recovery, Distribution Groups, Edge Subscriptions, E-Mail Address Policies, Exchange Connectors, Exchange Server Certificates, Exchange Servers, Exchange Virtual Directories, Federated Sharing, Information Rights Management, Journaling, Legal Hold, Mail Enabled Public Folders, Mail Recipient Creation, Mail Recipients, Mail Tips, Message Tracking, Migration, Monitoring, Move Mailboxes, Organization Client Access, Organization Configuration, Organization Transport Settings, POP3 And IMAP4 Protocols, Public Folder Replication, Public Folders, Receive Connectors, Recipient Policies, Remote and Accepted Domains, Retention Management, Role Management, Security Group Creation and Membership, Send Connectors, Transport Agents, Transport Hygiene, Transport Queues, Transport Rules, UM Mailboxes, UM Prompts, Unified Messaging, User Options, View-Only Configuration, View-Only Recipients

Exchange Organization Administrators

No comments:

What Vacation Taught me

I took vacation this year; a formal thing with travel, schedule coordination, planned activities, and days full of interacting with others. ...