Updated on 22 Feb 2013
Exchange 2010 default Recipient Management universal security group (USG) (it is a Exchange 2010 Role group also) can grant Full Access mailbox permission on all Exchange 2010 mailboxes.
Tested on Exchange 2010 in mixed Exchange organization, Windows 2008 R2. See important note in more information section.
You added account operators to Recipient Management USG group, so that they can create mailboxes. Recipient Management group is created during Exchange 2010 setup and also it is a role group in Exchange 2010 RBAC model.
But you discovered that account operators can also grant full access mailbox permissions to any user (including her/himself) on mailboxes too. Which is not what you want and it can be a serious issue in IT Audits.
By default Recipient Management USG (role group) has permission to run Add-MailboxPermission and Add-MailboxFolder Permission Exchange 2010 Management Shell command. More detailed: Mail Recipient role (which contains Add-MailboxPermission and Add-MailboxFolder Permission command) is in Recipient Management role group (USG). Therefore members of Recipient Management universal security group can successfully run these commands.
Make a copy of default Mail Recipients management role, then remove Add-MailboxPermission, Add-MailboxFolder Permission commands from the copied role and assign it to a new role group. And remove operators from default Recipient Management USG and add them to custom Recipient Management NoAddMbxPermission USG
You can do it with Exchange Shell command or RBAC Editor tool that has a nice gui.
Option 1: Using Exchange Shell:
1- Copy a new management role Mail Recipients NoAddMbxPermission from default Mail Recipients by inheriting
New-ManagementRole -Name “Mail Recipients NoAddMbxPermission” -Parent “Mail Recipients”
2- Remove Add-MailboxPermission, Add-MailboxFolder commands from Mail Recipients NoAddMbxPermission role
Get-ManagementRoleEntry “Mail Recipients NoAddMbxPermission\Add-MailboxPermission” |Remove-ManagementRoleEntry
Get-ManagementRoleEntry “Mail Recipients NoAddMbxPermission\Add-MailboxFolderPermission”|Remove-ManagementRoleEntry
3- Create a new role group Recipient Management NoAddMbxPermission with same set of roles but don’t add default role Mail Recipients. Add custom Mail Recipients NoAddMbxPermission role instead.
New-RoleGroup –Name “Recipient Management NoAddMbxPermission” –Roles “Distribution Groups”, ”Mail Enabled Public Folders”, ”Mail Recipient Creation”, ”Migration”, ”Message Tracking”, ”Move Mailboxes”, ”Recipient Policies”, ”Mail Recipients NoAddMbxPermission” –Description “Same permissions e2k10 Recipient Management except Add-MailboxPermission and Add-MailboxFolderPermission”
When you run this command you actually created a universal security group Recipient Management NoAddMbxPermission in Active Directory.
4- Remove Account Operators from default USG Recipient Management. Add them to custom USG Recipient Management NoAddMbxPermission using Active Directory Users and Computers console.
Operator needs to log off and logon in order to group membership be effected.
Option 2 Using RBAC editor:
A great tool for editing RBAC coded by my friend Can Dedeoğlu. Download it from here: http://rbac.codeplex.com/
1- Extract files in the zip to a folder and run RBAC_Manager.exe, connect active directory.
2- Right click default role Mail Recipients New Role from here. Name it Mail Recipients NoAddMbxPermission
3- Clear the check boxes for Add-Mailbox permission and add-MailboxFolderPermission commands
4- Click SAVE button above.
5- To create a new Role group click green button
6- On ROLE GROUPS right-click and select new Role Group
7- Type name Recipient Management NoAddMbxPermission. Select management roles for the new role group mentioned in option 1 that is: (don’t add default role Mail Recipients, add custom role Mail Recipients NoAddMbxPermission)
“Distribution Groups”, ”Mail Enabled Public Folders”, ”Mail Recipient Creation”, ”Migration”, ”Message Tracking”, ”Move Mailboxes”, ”Recipient Policies”, ”Mail Recipients NoAddMbxPermission”
8- Right click Mail Recipients NoAddMbxPermission role select New Role Assignment
9- Assign it to USG Recipient Management NoAddMbxPermission USG . Click OK. You may need to refresh RBAC editor by cliccking somewhere else and click again.
10- Again, Remove Account Operators from default USG Recipient Management using ADUC. Add them to custom USG Recipient Management NoAddMbxPermission using Active Directory Users and Computers console. Operator needs to logoff and logon in order to group membership be effected.
If the operator try to grand full access using Exchange 2010 console the she/he gets the following error:
(Which is expected because add-MailboxPermission command does not exist for the operator. (this not an access denied error!). Also if operator tries to run the command from exchange shell the off course she/he gets the same error. Tab key does not complete the command either etc..)
Important Note: If Exchange organization is mixed, that is contains Exchange 2007 or Exchange 2003, you must also to configure granting full mailbox access permission in AD for exchange 2007 and Exchange 2003 mailboxes. This blog is only for mailboxes on Exchange 2010.
Exchange 2010 RBAC Editor Download: