I had to look this up the other day – and I did not think it was all that easy to figure, so I made up this little table so I could get my head around the DEFAULT RBAC groups. Keep in mind that the base recommendation is to create your own groups to match your specific requirements. This table illustrates the what comes OOBE and represents some great starting points for understanding what is going on under the hood with RBAC.
| Built-in RBAC Group | Functionality | Default assigned roles | Default Members | ||||||||||
| Delegated Setup | Members of this management role group have permissions to install and uninstall Exchange on provisioned servers. This role group shouldn't be deleted. | View-Only Configuration | None | ||||||||||
| Discovery Management | Members of this management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria. |
| None | ||||||||||
| Help Desk | Members of this management role group can view and manage the configuration for individual recipients and view recipients in an Exchange organization. Members of this role group can only manage the configuration each user can manage on his or her own mailbox. Additional permissions can be added by assigning additional management roles to this role group. |
| None | ||||||||||
| Hygiene Management | Members of this management role group can manage Exchange anti-spam features and grant permissions for antivirus products to integrate with Exchange. |
| FQDN of server | ||||||||||
| Public Folder Management | Members of this management role group can manage public folders. Members can create and delete public folders and manage public folder settings such as replicas, quotas, age limits, and permissions as well as mail-enable and mail-disable public folders. |
| Exchange Public Folder Administrators | ||||||||||
| Recipient Management | Members of this management role group have rights to create, manage, and remove Exchange recipient objects in the Exchange organization. |
| Exchange Recipient Administrators | ||||||||||
| Records Management | Members of this management role group can configure compliance features such as retention policy tags, message classifications, transport rules, and more. |
| None | ||||||||||
| Server Management | Members of this management role group have permissions to manage all Exchange servers within the Exchange organization, but members don't have permissions to perform operations that have global impact in the Exchange organization. |
| None | ||||||||||
| UM Management | Members of this management role group can manage Unified Messaging organization, server, and recipient configuration. |
| None | ||||||||||
| View-Only Organization Management | Members of this management role group can view recipient and configuration objects and their properties in the Exchange organization. |
| Exchange View-Only Administrators | ||||||||||
| Organization Management | Members of this management role group have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This role group shouldn't be deleted. | Active Directory Permissions, Address List, Audit Logs, Cmdlet Extension Agents, Database Availability Groups, Database Copies, Databases, Disaster Recovery, Distribution Groups, Edge Subscriptions, E-Mail Address Policies, Exchange Connectors, Exchange Server Certificates, Exchange Servers, Exchange Virtual Directories, Federated Sharing, Information Rights Management, Journaling, Legal Hold, Mail Enabled Public Folders, Mail Recipient Creation, Mail Recipients, Mail Tips, Message Tracking, Migration, Monitoring, Move Mailboxes, Organization Client Access, Organization Configuration, Organization Transport Settings, POP3 And IMAP4 Protocols, Public Folder Replication, Public Folders, Receive Connectors, Recipient Policies, Remote and Accepted Domains, Retention Management, Role Management, Security Group Creation and Membership, Send Connectors, Transport Agents, Transport Hygiene, Transport Queues, Transport Rules, UM Mailboxes, UM Prompts, Unified Messaging, User Options, View-Only Configuration, View-Only Recipients | Exchange Organization Administrators |
No comments:
Post a Comment