环境:windows server 2008 r2 企业版64位,
exchange2010sp2
需求:设立exchange日常操作员角色,仅做新用户邮箱的创建和更改配置,关闭代理发送、管理完全访问权限等其他所有权限。
问题:系统内置的recipient management角色组包含角色太多,如下:
Recipient Management分配的角色:
| Distribution Groups | | Mail Enabled Public Folders | | Mail Recipient Creation | | Mail Recipients | | Message Tracking | | Migration | | Move Mailboxes | | Recipient Policies |
其中Mail Recipient Creation用于创建邮箱、邮件用户、邮件联系人以及常规通讯组和动态通讯组。Mail Recipients用于管理组织中现有的邮箱、邮件用户和邮件联系人。但是有如下多余的权限:
特别是管理完全访问权限,是领导绝对不允许的。用Add-MailboxPermission -deny -AccessRights FullAccess后,照样可以用,而且会把-deny删除了。如下:
解决方案:需要新建一个全新的角色,用于分配权限 。
以下为自行总结的exchange权限模型,版权所有,嘿嘿:
为了便于后期维护和标准化,以将角色组分配给安全组的形式实现。
总体步骤:
一.建立角色组
二.建立新角色
三.修改角色条目(角色项)
四.建立安全组,并分配用户
五.将安全组分配(添加)到新角色组
六.将新角色分配(添加)到新角色组
操作步骤:
一.建立角色组
1
2
3
4
5
6
7
8
9
| [PS]C:\Windows\system32>New-RoleGroup -Name "Mailbox Operation"-DisplayName "邮箱日常操作" -Description "仅用于从AD现有账户新建邮箱和管理现有邮箱配置,并且禁止删除所有邮箱"
[PS]C:\Windows\system32>Get-RoleGroup "mailbox operation" |Format-Table -wrap
Name AssignedRoles RoleAssignments ManagedBy
---- ------------- --------------- ---------
Mailbox Operation {} {} {human.local/Microsoft Ex
change Security Groups/Organi
zationManagement, human.
local/信息管理部/test}
|
二.建立新角色
必须从现有的系统角色继承来建立新的角色!
1
2
3
4
5
| [PS]C:\Windows\system32>New-ManagementRole -Parent "Mail Recipients"-Name "Limited Mail Recipients" -Description "仅用于从AD现有账户新建邮箱和管理现有邮箱配置,并且禁止删除所有邮箱"
Name RoleType
---- --------
Limited Mail Recipients MailRecipients
|
三.修改角色条目(角色项)
必须通过删除现有的角色项或者修改现有的角色项内的参数来实现新的角色的权限控制。
解决方法: 方法一:把现有的角色项列表在Excel里整理好,把需要删除的留下来。用import-csv命令导入到数组,再从数组依次取值,然后通过管道符传给Remove-ManagementRoleEntry. 方法二:用Filter和where筛选并删除 方法三:使用通配符找一部分删除一部分。
1
| [PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" |Format-Wide name -AutoSize
|
Add-MailboxPermission Clear-ActiveSyncDevice Disable-MailContact Disable-ServiceEmailChannel Enable-MailContact Enable-MailUser Enable-ServiceEmailChannel Get-ADServerSettings Get-AcceptedDomain Get-ActiveSyncDevice Get-ActiveSyncDeviceStatistics Get-ActiveSyncMailboxPolicy Get-CalendarNotification Get-CalendarProcessing Get-Contact Get-DomainController Get-InboxRule Get-LogonStatistics Get-MailContact Get-MailUser Get-MailboxAutoReplyConfiguration Get-MailboxCalendarConfiguration Get-MailboxCalendarFolder Get-MailboxDatabase Get-MailboxFolderPermission Get-MailboxJunkEmailConfiguration Get-MailboxMessageConfiguration Get-MailboxPermission Get-MailboxSpellingConfiguration Get-MailboxStatistics Get-MessageCategory Get-MessageClassification Get-OfflineAddressBook Get-OrganizationalUnit Get-OwaMailboxPolicy Get-PhysicalAvailabilityReport Get-ResourceConfig Get-RoleAssignmentPolicy Get-ServiceAvailabilityReport Get-ServiceStatus Get-TextMessagingAccount Get-Trust Get-User Get-UserPrincipalNamesSuffix New-OwaMailboxPolicy Remove-ActiveSyncDevice Remove-MailboxFolderPermission Remove-MailboxPermission Remove-OwaMailboxPolicy Set-ADServerSettings Set-CalendarProcessing Set-LinkedUser Set-MailboxAutoReplyConfiguration Set-MailboxJunkEmailConfiguration Set-MailboxMessageConfiguration Set-MailboxSpellingConfiguration Update-Recipient Add-MailboxFolderPermission Write-AdminAuditLog Disable-InboxRule Get-MailboxFolderStatistics Test-MAPIConnectivity Set-User Enable-InboxRule Enable-RemoteMailbox Remove-InboxRule Set-MailboxRegionalConfiguration Get-SecurityPrincipal New-PublicFolderDatabaseRepairRequest Set-MailboxCalendarFolder Get-MailboxRegionalConfiguration Get-CASMailbox Get-Recipient New-MailboxRepairRequest Set-InboxRule Get-Mailbox Set-Contact Set-CASMailbox Get-ManagementRoleAssignment New-InboxRule Get-RemoteMailbox Set-MailboxSentItemsConfiguration Set-Mailbox Set-MailContact Set-MailUser Set-RemoteMailbox Get-HybridConfiguration Get-MailboxSentItemsConfiguration Set-HybridConfiguration Enable-Mailbox Set-MailboxFolderPermission Update-HybridConfiguration Disable-RemoteMailbox Disable-MailUser New-HybridConfiguration Disable-Mailbox Set-MailboxCalendarConfiguration Connect-Mailbox Set-OwaMailboxPolicy Get-AddressBookPolicy 一共有100条,需要删除所有不需要的条目,这么多不可能都看懂是什么意思。所以还需要进一步了解。 使用如下命令得到现有继承而来的角色项简要说明,根据说明选择需要的。 1
| [PS]C:\Windows\system32>Get-ManagementRoleEntry "limited mailrecipients\*" |foreach { get-help $_.name } |format-table name,Synopsis-wrap|Out-File d:\test2.txt
|
然后通过excel导入,在Excel内整理信息。
如下命令用于删除相关角色条目。
用于删除某一条的命令: 1
| Remove-ManagementRoleEntry "limited mail recipients\get-mailboxpermission" -Confirm:$false
|
//无需确认直接删除 1
2
| Remove-ManagementRoleEntry"limited mail recipients\add-mailboxpermission"
Remove-ManagementRoleEntry"limited mail recipients\ Remove -mailboxpermission"
|
把以上三条删除后,完全管理权限的选项即不出现了,而且必须把所有有关的三条都删除了才生效。
1
| [PS]C:\Windows\system32>Remove-ManagementRoleEntry "limited mailrecipients\*mailboxper*"
|
(说明剩下最后一条后也可以用通配符)
用于删除一批条目的命令 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| [PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\disable*"
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\disable*" |Remove-ManagementRoleEntry –WhatIf
[PS] C:\Windows\system32>Get-ManagementRoleEntry"Limited Mail Recipients\disable*" |Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*hybrid*" |Remove-ManagementRoleEntry -Confirm:$false
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" |where {$_.name -ilike "*remote*" -or $_.name-like "*domaincontrol*" } | Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" |where {$_.name -ilike "*adserver*" -or $_.name-like "*policy*" } | Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" |where {$_.name -ilike "*domain*" -or $_.name-like "*service*" } | Remove-ManagementRoleEntry
[PS] C:\Windows\system32>Get-ManagementRoleEntry"Limited Mail Recipients\*" |where {$_.name -like"*addressbook*" } | Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited Mail Recipients\Get-PhysicalAvailabilityReport" |Remove-ManagementRoleEntry
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*contact*" | Remove-ManagementRoleEntry
[PS] C:\Windows\system32>Get-ManagementRoleEntry "LimitedMail Recipients\*mailuse*" | Remove-ManagementRoleEntry
[PS] C:\Windows\system32>Get-ManagementRoleEntry "LimitedMail Recipients\*recipient*" |Remove-ManagementRoleEntry -confirm:$false
[PS] C:\Windows\system32>Get-ManagementRoleEntry "LimitedMail Recipients\*folder*" | Format-Table name
Name
----
Get-MailboxCalendarFolder
Get-MailboxFolderPermission
Remove-MailboxFolderPermission
Add-MailboxFolderPermission
Get-MailboxFolderStatistics
New-PublicFolderDatabaseRepairRequest
Set-MailboxCalendarFolder
Set-MailboxFolderPermission
[PS] C:\Windows\system32>Get-ManagementRoleEntry "LimitedMail Recipients\*folder*" |Remove-ManagementRoleEntry -confirm:$false
[PS]C:\Windows\system32>Get-ManagementRoleEntry "Limited MailRecipients\*" | where {$_.name -like "*SentItems*" -or $_.name-like "*linkeduser*" -or $_.name -like "*ResourceConfig*" }|Remove-ManagementRoleEntry -Confirm:$false
|
删除所有角色条内的参数DomainController
1
2
| [PS] C:\Windows\system32>$domain = Get-ManagementRoleEntry"limited mail recipients\*" -Parameters DomainController
[PS] C:\Windows\system32>for($i=0;$i -lt$domain.Length;$i++){$domain[$i].name}
|
如果误删除多了,可用如下命令添加回去: 方法A:直接从父角色中搜索并添加回去(可能会由于关键字搜索结果重复问题把之前确定删除了的项目又添加回去) 1
| [PS] C:\Windows\system32>Get-ManagementRoleEntry "mailrecipients\*cas*" |Add-ManagementRoleEntry -role "Limited MailRecipients"
|
方法B:先将预删除的角色项赋值给数组,再取数组元素中的NAME字段值给新的数组,然后从NAME数组循环取值依次作父角色搜索条件,把原来的项目添加回去。 1
2
3
| [PS] C:\Windows\system32> $cas=Get-ManagementRoleEntry "limitedmail recipients\*cas*"
[PS] C:\Windows\system32>for ($i=0;$i -lt$cas.Length;$i++){$casname +=@($cas[$i].name)}
[PS] C:\Windows\system32>foreach ($j in $casname){Get-ManagementRoleEntry "Mail Recipients\$j" |Add-ManagementRoleEntry -role "limited mail recipients"}
|
方法C:用while直接从数组$cas中取值,必须要用$()来实现。 1
2
| [PS] C:\Windows\system32>$i=0
[PS] C:\Windows\system32>while ($i -lt $cas.Length){Get-ManagementRoleEntry "Mail Recipients\$($cas[$i].name)"|Add-ManagementRoleEntry -role "limited mail recipients"; $i++}
|
四.将新角色分配(添加)到新角色组
1
| [PS]C:\Windows\system32>New-ManagementRoleAssignment -name "MailboxOperation Limited Mail Recipients" -Role "Limited MailRecipients" -SecurityGroup "Mailbox Operation"
|
五.建立安全组,并分配用户
在域控上建议,以后直接在域控上增删人员即可。
六.将安全组分配(添加)到新角色组
Add-RoleGroupMember "Mailbox Operation" -Member"邮箱操作员"
操作之后的效果:
另,只能先在域控上建立用户,然后在EXCHANGE服务器上新建现有用户的邮箱。不允许再通过exchange直接新建用户。
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2015-9-9 09:23:07
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡