环境:windows server 2008 r2 企业版64位,
exchange2010sp2
需求:设立exchange日常操作员角色,仅做新用户邮箱的创建和更改配置,关闭代理发送、管理完全访问权限等其他所有权限。
问题:系统内置的recipient management角色组包含角色太多,如下:
Recipient Management分配的角色:
| Distribution Groups |
| Mail Enabled Public Folders |
| Mail Recipient Creation |
| Mail Recipients |
| Message Tracking |
| Migration |
| Move Mailboxes |
| Recipient Policies |
其中Mail Recipient Creation用于创建邮箱、邮件用户、邮件联系人以及常规通讯组和动态通讯组。Mail Recipients用于管理组织中现有的邮箱、邮件用户和邮件联系人。但是有如下多余的权限:
特别是管理完全访问权限,是领导绝对不允许的。用Add-MailboxPermission -deny -Acce***ights FullAccess后,照样可以用,而且会把-deny删除了。如下:
解决方案:需要新建一个全新的角色,用于分配权限 。
以下为自行总结的exchange权限模型,版权所有,嘿嘿:
为了便于后期维护和标准化,以将角色组分配给安全组的形式实现。
总体步骤:
一.建立角色组
二.建立新角色
三.修改角色条目(角色项)
四.建立安全组,并分配用户
五.将安全组分配(添加)到新角色组
六.将新角色分配(添加)到新角色组
操作步骤:
一.建立角色组
[PS]C:\Windows\system32>New-RoleGroup -Name "Mailbox Operation"-DisplayName "邮箱日常操作" -Description "仅用于从AD现有账户新建邮箱和管理现有邮箱配置,并且禁止删除所有邮箱"
[PS]C:\Windows\system32>Get-RoleGroup "mailbox operation" |Format-Table -wrap
Name AssignedRoles RoleAssignments ManagedBy
---- ------------- --------------- ---------
Mailbox Operation {} {} {human.local/Microsoft Ex
change Security Groups/Organi
zationManagement, human.
local/信息管理部/test}
二.建立新角色
必须从现有的系统角色继承来建立新的角色!
[PS]C:\Windows\system32>New-ManagementRole -Parent "Mail Recipients"-Name "Limited Mail Recipients" -Description "仅用于从AD现有账户新建邮箱和管理现有邮箱配置,并且禁止删除所有邮箱" Name RoleType ---- -------- Limited Mail Recipients MailRecipients
三.修改角色条目(角色项)
必须通过删除现有的角色项或者修改现有的角色项内的参数来实现新的角色的权限控制。
解决方法:
方法一:把现有的角色项列表在Excel里整理好,把需要删除的留下来。用import-csv命令导入到数组,再从数组依次取值,然后通过管道符传给Remove-ManagementRoleEntry.
方法二:用Filter和where筛选并删除
方法三:使用通配符找一部分删除一部分。
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" |Format-Wide name -AutoSize
Add-MailboxPermission Clear-ActiveSyncDevice
Disable-MailContact Disable-ServiceEmailChannel
Enable-MailContact Enable-MailUser
Enable-ServiceEmailChannel Get-ADServerSettings
Get-AcceptedDomain Get-ActiveSyncDevice
Get-ActiveSyncDeviceStatistics Get-ActiveSyncMailboxPolicy
Get-CalendarNotification Get-CalendarProcessing
Get-Contact Get-DomainController
Get-InboxRule Get-LogonStatistics
Get-MailContact Get-MailUser
Get-MailboxAutoReplyConfiguration Get-MailboxCalendarConfiguration
Get-MailboxCalendarFolder Get-MailboxDatabase
Get-MailboxFolderPermission Get-MailboxJunkEmailConfiguration
Get-MailboxMessageConfiguration Get-MailboxPermission
Get-MailboxSpellingConfiguration Get-MailboxStatistics
Get-MessageCategory Get-MessageClassification
Get-OfflineAddressBook Get-OrganizationalUnit
Get-OwaMailboxPolicy Get-PhysicalAvailabilityReport
Get-ResourceConfig Get-RoleAssignmentPolicy
Get-ServiceAvailabilityReport Get-ServiceStatus
Get-TextMessagingAccount Get-Trust
Get-User Get-UserPrincipalNamesSuffix
New-OwaMailboxPolicy Remove-ActiveSyncDevice
Remove-MailboxFolderPermission Remove-MailboxPermission
Remove-OwaMailboxPolicy Set-ADServerSettings
Set-CalendarProcessing Set-LinkedUser
Set-MailboxAutoReplyConfiguration Set-MailboxJunkEmailConfiguration
Set-MailboxMessageConfiguration Set-MailboxSpellingConfiguration
Update-Recipient Add-MailboxFolderPermission
Write-AdminAuditLog Disable-InboxRule
Get-MailboxFolderStatistics Test-MAPIConnectivity
Set-User Enable-InboxRule
Enable-RemoteMailbox Remove-InboxRule
Set-MailboxRegionalConfiguration Get-SecurityPrincipal
New-PublicFolderDatabaseRepairRequest Set-MailboxCalendarFolder
Get-MailboxRegionalConfiguration Get-CASMailbox
Get-Recipient New-MailboxRepairRequest
Set-InboxRule Get-Mailbox
Set-Contact Set-CASMailbox
Get-ManagementRoleAssignment New-InboxRule
Get-RemoteMailbox Set-MailboxSentItemsConfiguration
Set-Mailbox Set-MailContact
Set-MailUser Set-RemoteMailbox
Get-HybridConfiguration Get-MailboxSentItemsConfiguration
Set-HybridConfiguration Enable-Mailbox
Set-MailboxFolderPermission Update-HybridConfiguration
Disable-RemoteMailbox Disable-MailUser
New-HybridConfiguration Disable-Mailbox
Set-MailboxCalendarConfiguration Connect-Mailbox
Set-OwaMailboxPolicy Get-AddressBookPolicy
一共有100条,需要删除所有不需要的条目,这么多不可能都看懂是什么意思。所以还需要进一步了解。
使用如下命令得到现有继承而来的角色项简要说明,根据说明选择需要的。
[PS]C:\Windows\system32>Get-ManagementRoleEntry "limited mailrecipients\*" |foreach { get-help $_.name } |format-table name,Synopsis-wrap|Out-File d:\test2.txt
然后通过excel导入,在Excel内整理信息。
如下命令用于删除相关角色条目。
用于删除某一条的命令:
Remove-ManagementRoleEntry "limited mail recipients\get-mailboxpermission" -Confirm:$false
//无需确认直接删除
Remove-ManagementRoleEntry"limited mail recipients\add-mailboxpermission" Remove-ManagementRoleEntry"limited mail recipients\ Remove -mailboxpermission"
把以上三条删除后,完全管理权限的选项即不出现了,而且必须把所有有关的三条都删除了才生效。
[PS]C:\Windows\system32>Remove-ManagementRoleEntry "limited mailrecipients\*mailboxper*"
(说明剩下最后一条后也可以用通配符)
用于删除一批条目的命令
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\disable*"
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\disable*" |Remove-ManagementRoleEntry –WhatIf
[PS] C:\Windows\system32>Get-ManagementRoleEntry"Limited Mail Recipients\disable*" |Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*hybrid*" |Remove-ManagementRoleEntry -Confirm:$false
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" |where {$_.name -ilike "*remote*" -or $_.name-like "*domaincontrol*" } | Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" |where {$_.name -ilike "*adserver*" -or $_.name-like "*policy*" } | Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" |where {$_.name -ilike "*domain*" -or $_.name-like "*service*" } | Remove-ManagementRoleEntry
[PS] C:\Windows\system32>Get-ManagementRoleEntry"Limited Mail Recipients\*" |where {$_.name -like"*addressbook*" } | Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited Mail Recipients\Get-PhysicalAvailabilityReport" |Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*contact*" | Remove-ManagementRoleEntry
[PS] C:\Windows\system32>Get-ManagementRoleEntry "LimitedMail Recipients\*mailuse*" | Remove-ManagementRoleEntry
[PS] C:\Windows\system32>Get-ManagementRoleEntry "LimitedMail Recipients\*recipient*" |Remove-ManagementRoleEntry -confirm:$false
[PS] C:\Windows\system32>Get-ManagementRoleEntry "LimitedMail Recipients\*folder*" | Format-Table name
Name
----
Get-MailboxCalendarFolder
Get-MailboxFolderPermission
Remove-MailboxFolderPermission
Add-MailboxFolderPermission
Get-MailboxFolderStatistics
New-PublicFolderDatabaseRepairRequest
Set-MailboxCalendarFolder
Set-MailboxFolderPermission
[PS] C:\Windows\system32>Get-ManagementRoleEntry "LimitedMail Recipients\*folder*" |Remove-ManagementRoleEntry -confirm:$false
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" | where {$_.name -like "*SentItems*" -or $_.name-like "*linkeduser*" -or $_.name -like "*ResourceConfig*" }|Remove-ManagementRoleEntry -Confirm:$false
删除所有角色条内的参数DomainController
[PS] C:\Windows\system32>$domain = Get-ManagementRoleEntry"limited mail recipients\*" -Parameters DomainController
[PS] C:\Windows\system32>for($i=0;$i -lt$domain.Length;$i++){$domain[$i].name}
如果误删除多了,可用如下命令添加回去:
方法A:直接从父角色中搜索并添加回去(可能会由于关键字搜索结果重复问题把之前确定删除了的项目又添加回去)
[PS] C:\Windows\system32>Get-ManagementRoleEntry "mailrecipients\*cas*" |Add-ManagementRoleEntry -role "Limited MailRecipients"
方法B:先将预删除的角色项赋值给数组,再取数组元素中的NAME字段值给新的数组,然后从NAME数组循环取值依次作父角色搜索条件,把原来的项目添加回去。
[PS] C:\Windows\system32> $cas=Get-ManagementRoleEntry "limitedmail recipients\*cas*"
[PS] C:\Windows\system32>for ($i=0;$i -lt$cas.Length;$i++){$casname +=@($cas[$i].name)}
[PS] C:\Windows\system32>foreach ($j in $casname){Get-ManagementRoleEntry "Mail Recipients\$j" |Add-ManagementRoleEntry -role "limited mail recipients"}
方法C:用while直接从数组$cas中取值,必须要用$()来实现。
[PS] C:\Windows\system32>$i=0
[PS] C:\Windows\system32>while ($i -lt $cas.Length){Get-ManagementRoleEntry "Mail Recipients\$($cas[$i].name)"|Add-ManagementRoleEntry -role "limited mail recipients"; $i++}
四.将新角色分配(添加)到新角色组
[PS]C:\Windows\system32>New-ManagementRoleAssignment -name "MailboxOperation Limited Mail Recipients" -Role "Limited MailRecipients" -SecurityGroup "Mailbox Operation"
五.建立安全组,并分配用户
在域控上建议,以后直接在域控上增删人员即可。
六.将安全组分配(添加)到新角色组
Add-RoleGroupMember "Mailbox Operation" -Member"邮箱操作员"
操作之后的效果:
另,只能先在域控上建立用户,然后在EXCHANGE服务器上新建现有用户的邮箱。不允许再通过exchange直接新建用户。