Exchange Server 2010 Introduction to

Supporting Administration
Role Based Access Control

Jonathan Runyon
Exchange 2010 Content BRE
Microsoft
1 1/1/2009 Microsoft Confidential - For Internal Use Only
 1

Module Overview
Before You Begin
Before starting this module you should:
Be familiar with using Microsoft Windows Active Directory
permissions to control administrative access to objects associated
with Windows based applications.
Be familiar with using Windows PowerShell commands to manage
an Exchange organization.
What You Will Learn
Describe how Role Based Access Control is used to manage access
to administrative tasks and control their degree of functionality in
an Exchange 2010 environment.
Apply Role Based Access Control in a variety of administrative
scenarios.
Troubleshoot the implementation of Role Based Access Control
using diagnostic tools and investigative methods.
 3

Lesson 1: Exchange Server 2010 Administrative

Permissions Overview
 3
Lesson 1: Exchange Server 2010 Administrative Permissions Overview

After completing this lesson you will be able to:

Discuss the strategy for managing administrative
permissions for an Exchange Organization
Explain the goals of using Role Based Authenticated
Control to manage administrative permissions and access
to administrative tasks
Discuss the benefits of using Role Based Authenticated
Control to control access and the degree of functionality
of administrative tasks
 4

Administrative Access Control Concepts

Terminology
Scenarios
Typical Exchange Management Roles
 4

Terminology
Term Definition
ACL Access control list - A list of security protections that applies to an object. (An object can be a file,
process, or anything else having a security descriptor.)
Administrator A person employed to maintain and operate a computer system and/or network. Administrators are
usually charged with installing, supporting, and maintaining servers or other computer systems, and
planning for and responding to service outages and other problems. For the purposes of this
module an administrator is an IT Pro whose primary responsibility is to manage an Exchange
organization.
Authentication The process for verifying that a user, computer, service, or process is who or what it claims to be.
Authorization The act of controlling access and rights to a resource. For example, allowing members of one group
to read a file, but allowing only members of another group to alter the file.
Credentials Previously authenticated logon data that a security principal uses to establish its own identity, such
as a password, or a Kerberos protocol ticket. Credentials are used to control access to resources.
Delegation The transfer of administrative responsibility for a specific administrative task from a higher authority
to a lower authority. Delegation of administration involves a higher-level administrator granting a
controlled set of permissions to a lower-level administrator in order to carry out a specific
administrative task.
digital identity The unique identifier and descriptive attributes of a person, group, computer, device or service.
Group A collection or association of user accounts (identities) and/or other groups.
IT Pro Information Technology Professional – a person responsible for the technical evaluation,
deployment, maintenance and support of software and hardware in a business.
identity store A repository in the form of a directory that contains digital identities. Active Directory provides an
identity store with a well-defined schema for what information can be stored and in what form it
can be recorded.
least privilege The principle that every element in a computing environment (such as a process, a user or a program) must be
able to access only information and resources necessary to its rightful function.
 4

Terminology (continued)
Term Definition
privilege The right of a user to perform various system-related operations, such as shutting down the
system, loading device drivers, or changing the system time. A user's access token contains a list of
the privileges that the user or the user's groups hold.
role An abstraction that represents a set of functional responsibilities; a role can be comprised of
specific permissions needed to discharge those responsibilities.
RBAC Role based access control — An access-control mechanism based upon assigning users or
processes to roles.
scope A collection of objects or resources with a distinct authorization policy. A scope can represent a
physical collection, such as a folder, or a more flexible collection of resources, such as *.doc.
Applications can use the scope as necessary to group resources, and must be able to map the
requested resource to its scope at the time the application checks the access for a user.
security context The security attributes or rules that are currently in effect. For example, the current user logged on
to the computer or the personal identification number entered by the smart card user.
task One or more low-level operations. The purpose of a task is to determine which low-level
operations are required to do some unit of work that is meaningful to administrators. An example
of a task is cmdlet Set-Mailbox.
token (access token) An access token contains the security information for a logon session. The system creates an
access token when a user logs on, and every process executed on behalf of the user has a copy of
the token. The token identifies the user, the user's groups, and the user's privileges. The system
uses the token to control access to securable objects and to control the ability of the user to
perform various system-related operations on the local computer.
top level A top level administrator has access to all resources and operations associated with an application
administrator or system. and controls access
user An end user. In order to identify themselves for the purposes of accounting, security, logging and
resource management, a user has an account (a user account) a username, and a password. A user
account allows one to authenticate to system services. For the purposes of this module, a user has
a mailbox used for messaging and collaboration but generally is not involved directly in Exchange
administration.
 6

Scenarios
Organization Management
Server Management
Database Management
Recipient Management
Records Management
Self-Serve Management
Specialist Management
 9

Typical Exchange Management Roles

Legacy Exchange Access Control History
Features
Management Roles
Exchange 2003
Exchange 2007
Split Permissions Model
Challenges
 10

Exchange 2003
The following roles were applied to users and groups
through the Delegation Wizard in Exchange System
Manager:
Exchange Full Administrator
Exchange Administrator
Exchange View Only Administrator
 10

Exchange 2007
The following roles are applied to users and groups using
the Exchange Management Console and the Exchange
Management Shell:
Exchange Organization Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators
Exchange Public Folder Administrators
Exchange Server Administrators
 11

Split Permissions Model

Allows for separate administrators for Active Directory and
Exchange
Attribute Level Access Control
Security descriptor on objects grants level of access
Discretionary access control lists (DACLs) – access permissions
System access control lists (SACLs) – auditing contexts
Property Sets – grouping of attributes that enables access
control to a subset of object’s properties
Access Control Entry can be set on property set instead of each
individual property.
Exchange 2003 added Personal Information and Public Information
Exchange 2007 added Exchange Information and Exchange
Personal Information
 13

Challenges
Current management role implementation is limited
Access control management is complex
Permissions are focused on objects and not tasks
Excessive privileges required for some Exchange
operations
Object access auditing and delegated permissions
reporting is difficult
There is no support for Self-Service management
 15

Exchange Server 2010 Access Control

New Features
Management roles based on administrative tasks
Customized roles
Management role scopes
Organizational wide enforcement
Access control at the task level
Auditing and Reporting
 18

Lesson 2: Exchange 2010 RBAC Architecture

 18

Lesson 2: Exchange 2010 RBAC Architecture

After completing this lesson you will be able to:
Describe the basics of RBAC.
List the components that make up the Exchange 2010
implementation of RBAC.
Describe how RBAC is used to control access to objects
and resources through Exchange administrative interfaces.
 19

RBAC Basics
ACLs and Exchange Administrative Applications
Leveraging Role Based Access Control
Authorization Manager Model
 19

ACLs and Exchange Administrative Applications

Windows OS support ACLs in access control for
applications
ACL models require administrators to translate Org
authorization policy into permissions on objects and
object containers
For Exchange, access decisions must be made on business
logic, which is not straight forward
Leveraging Role Based Access Control
Role based access control (RBAC):
Simplifies access control administration
Provides better manageability in enterprise environments
RBAC creates a new context called a role.
Assign users to a role
Roles are mapped to application permissions
In most cases, changes to role permissions are rare
 20

Authorization Manager Model

Authorization Manager is a set of COM-based runtime
interfaces that allows applications to easily manage and
verify a client’s requests to perform application operations.
 22

Components
Management Roles
Management Role Entries
Built-In Management Roles
Management Role Scopes
Role Groups
Role Assignment Policies
Management Role Assignments
Exchange Default USG Implementation
 23

Basic Management Role Model

User, USG,
Policy
“Who”

Role
Assignment

Role Scope
“What” “Where”
 24

Management Role Configuration Objects in AD

24
 22

Management Roles
Built-In Management Roles
Custom Management Roles
Management Role Entries
Unscoped Top Level Management Roles
 26

Management Role Basics

Management Roles exist in parent-child hierarchy
Built-in Management roles are at the top and are read only
Custom roles are created as needed and are based on
built-in roles
Custom roles are child objects of built-in roles, and inherit
properties from the parent
Custom roles can be modified to provide the desired level of
access control

Mail Recipients
│
└─Tier2 HelpDesk
│
└─Tier1 HelpDesk
 25

Management Role Entry Basics

A role entry is a task that is to be made available to a user
Stored as an element of attribute msExchRoleEntries on
management role object
Cmdlet plus parameters
 25

Management Role Entries

Controlling Task Access with Management Role Entries
A user only has access to tasks that are entries on the
management roles that are assigned to the user
Includes individual parameters for each cmdlet
Management Role Entry Inheritance
A custom management role inherits the entries from the built-in
role on which they are based
Custom roles are customized by removing the entries that are not
to be made available by the role
Tasks cannot be added as entries on a custom role unless the task
is on the parent role
 26

Built-In Management Roles

Administrative Management Roles
Used to provide access to management tasks for organization,
recipient and server administration
Divided into logical groupings of tasks for specific functions
Examples:
Databases - enables administrators to create, manage, mount, and
dismount mailbox and public folder databases on individual servers
Mail Recipients - enables administrators to manage existing
mailboxes, mail users, mail contacts, distribution groups, and dynamic
distribution groups
Message Tracking - enables administrators to track messages in an
organization
See table in workbook for full listing with descriptions
 32

Built-In Management Roles (continued)

User-Focused Management Roles
Used to provide access to management tasks for DIY and self-
management
Divided into logical groupings of tasks for specific functions
Examples:
MyBaseOptions - enables individual users to view and modify the
basic configuration of their own mailbox and associated settings
MyDistributionGroups - enables individual users to create, modify,
and view distribution groups and modify, view, remove, and add
members to distribution groups they own
MyVoiceMail - enables individual users to view and modify their voice
mail settings
See table in workbook for full listing with descriptions
 33

Built-In Management Roles (continued)

Specialty Management Roles
Used to provide access to management tasks that are not specific
to administration or self-management

Management Role Name Description

ApplicationImpersonation This role enables the user to configure whether an application is able to
impersonate a mailbox. Impersonation enables the sending account to
send as the specified user rather than on behalf of the specified user.
 33

Built-In Management Roles (continued)

Unscoped Top Level Management Roles
Special type of management role that makes it possible to grant
access to custom scripts and non-Exchange cmdlets to users
Cannot be scoped to a specific target
Can be assigned to role assignees such as role groups,
management roles, users, and USGs, but not role assignment
policies
Role entries added to an unscoped role must also be designated
as an unscoped top level role entry
Scenario – provide access to highly privileged task using a script
that contains the specific functionality
Organization Management role group does not, by default have
permissions to create or manage unscoped role groups
Needs Unscoped Role Management role
 34

Management Role Scopes

Enable you to define scope of access at time of role
assignment
Only objects that fall within the scope can be modified by the role
assignee
Management scopes can be:
Inherited from parent role as an Implicit scope
Specified as predefined built-in Relative scope
Administrator defined as a custom Explicit scope
 34

Implicit Scopes
Implicit scopes are the default scopes that apply to a
management role type
An implicit scope applies to a parent built-in role, and all custom
roles based on that role
By default all roles have four implicit scopes:
RecipientReadScope – what recipients can the assignee “see”?
RecipientWriteScope – what recipients can the assignee modify?
ConfigReadScope – what configuration objects can the assignee
“see”?
ConfigWriteScope – what configuration objects can the assignee
modify?
 35

Implicit Scopes Types

Examples:
Self - the role can modify only the properties of the current user's
mailbox
Organization - the role can create or modify recipient objects
across the Exchange organization
When an explicit scope is not specified, the implicit scope
applies to the role assignment
Write scopes are always equal to or less than the read
scope
Read scopes are always implicit
See table in workbook for full listing with descriptions
 36

Explicit Scope Types

Explicit scopes are specified by administrator at role
assignment time to control object access
Explicit scopes override implicit write scopes on the role,
but cannot exceed the bounds of the implicit scope
Explicit scope can be narrower, but not broader than the role’s
implicit scopes
There are two types of explicit scopes:
predefined relative scopes
custom scopes
 37

Predefined Relative Scopes

Several pre-defined relative scopes are available to be
specified at role assignment time
Relative scopes can only be used to scope recipient
objects, not configuration objects
Use to override implicit recipient write scope
See table in workbook for full listing with descriptions
 38

Custom Scopes
Use custom scopes when implicit scopes and relative
scopes do not provide the level of control required
Defined and stored as configuration objects in AD, or
applied by filter at time of assignment
Override either implicit recipient write scope or implicit
configuration write scope
Scope definition uses filter (OPath) to determine scope
boundary
Recipient filterable attributes
Example: department, office, manager
Exchange server filterable attributes, or server list
Example: AD site, server role
 38

Exclusive Scopes
Scopes may overlap when RBAC evaluates access control
A given role assignee may have access to sensitive objects
that fall within a broad scope
Administrators may need to extend access control for
broad range of objects, but prevent access to more
sensitive objects to which exclusive access must be
maintained
Exclusive scopes deny access to objects included in the
scope to only the role assignee where the scope is used in
a role assignment
Exclusive scope scenario:
 39

Exclusive Scopes continued

Exclusive scopes can be used to control access to
recipients and servers
An exclusive scope is a custom scope that is designated Exclusive
at the time of creation
An exclusive scope may overlap with other exclusive
scopes
Objects that fall within more than one exclusive scopes can be
accessed by any role assignee that uses one of the exclusive
scopes
Implicit read scopes are not affected by exclusive scopes
Role assignees that use regular scopes continue to “see” objects
that fall within both the implicit read scope and an exclusive scope,
but cannot manage them
42
 43

Scope Container Hierarchy

When processing requests, RBAC used an aggregation of
scopes
A union of scopes is used to determine resulting scope
Widest scope for a given entry is the scope applied
Example: Set-Mailbox is provided to a role assignee by two different
assignments, one with Self scope and one with Organization scope
Organization scope is applied because it is wider than Self
 44

Management Scope Container Hierarchy

 44

Role Groups
Special Universal Security Groups (USG) that simplify role
assignment to a group of users
Members of the role group have access control provided by the
roles assigned to the group, as if the roles had been assigned
directly to the members
Managed using Exchange management tasks so that there
is no need to have access to AD management tools
Possible to create a role group, assign roles and add
members to the group in one command
 45

Built-In Role Groups

Exchange 2010 provides basic role groups that apply to
most typical management scenarios
Examples:
Organization Management - members have administrative access to
the entire organization
Recipient Management- members have administrative access to
create or modify Exchange 2010 recipients within the organization
Server Management - members have administrative access to
Exchange 2010 server configuration
Role groups are not protected from customization, except
for Organization Management
Cannot remove delegating role assignments
Cannot remove Role Management role
See table in workbook for full listing with descriptions
 46

Linked Role Groups

Used in organizations that install Exchange 2010 in:
A dedicated resource forest
Place users in other trusted foreign forests
Requires at least a one-way trust
Exchange forest trusts Foreign forest
A linked role group definition has two parts
Linked role group – associates the foreign USG with the role
assignments that are assigned to the role group
Foreign USG – contains the members that should be granted the
permissions provided by the linked role group
 47

Role Group Delegation

By default, Organization Management role group
members can add/remove role group members as needed
Group delegation allows others to add/remove members
Controlled by the ManagedBy property on each role group
Delegated user is not granted any access control by the role group
unless they are also a member
Organization Management role group member can still
manage all role groups using override option
BypassSecurityGroupManagerCheck switch on relevant tasks
 48

Role Assignment Policies

Used to link user level role assignments to a mailbox user
Role assignments applied to the policy are in turn applied to the
mailbox user that is linked to the policy
RoleAssignmentPolicy property on mailbox user account
properties points to the policy name
Roles are assigned to a policy in same way as assignment
to other assignees, with exceptions
Only self-management roles can be assigned to policies, no
administrative roles are allowed
Only one policy at a time can be linked to a mailbox user
A single policy is provided and is designated as the Default
policy, and is applied to mailbox users at provisioning time
Additional policies can be created as needed, and a new default
policy can be designated
 49

Role Assignment Policy example

 49

Management Role Assignments

Links a management role to a role assignee:
User, Role Group, USG or Role Assignment Policy
A role assignment can only link a single role
A role assignee may have several role assignments
All role entries are evaluated by RBAC and aggregated
Scope can also be applied at time of assignment
If an explicit scope is not specified, the implicit scope from the role
is used instead
The role specified by a role assignment cannot be changed
to a different role
Create a new role assignment with the desired role instead
 50

Management Role Delegation

When you assign a management role to a user or group,
you can specify whether that user or group can delegate
the role to other users or groups
Users with a delegated management role assignment can
assign that role to others, but are not given the level of
access control provided by the role assignment
Two role assignments are required for this functionality, one
delegating, one regular
RoleAssignmentDelegationType property determines
delegation behavior of role assignment
Regular – no delegation
Delegating – designates assignee can delegate role to others
DelegatingOrgWide – designates assignee can modify the role
and role assignments
 51

Default Management Role Assignments

Several default role assignments are created at setup time
to provide RBAC functionality out of the box
Role group assignments – assignments are made to the default
role groups
Role assignment policy assignments – assignments are made to
the default role assignment policy
Delegating assignments – delegating role assignments are made
to the Organization Management role group
Allows the Organization Management role group to manage RBAC
See tables in workbook for full listings with descriptions
 48

Role Group Assignments

Delegated Setup
Discovery Management
Help Desk
Hygiene Management
Public Folder Management
Recipient Management
Records Management
Server Management
UM Management
View-Only Organization Management
Organization Management
 51

Default Role Assignment Policy assignments

Role Assignment Name Role Assigned

MyBaseOptions-Default Role Assignment Policy MyBaseOptions

MyContactInformation-Default Role Assignment MyContactInformation

Policy
MyVoiceMail-Default Role Assignment Policy MyVoiceMail

MyTextMessaging-Default Role Assignment Policy MyTextMessaging

MyDistributionGroupMembership-Default Role MyDistributionGroupMembership

Assignment Policy
 55

Exchange Default USG Implementation

Exchange Installation Account
New Organization
Exchange automatically adds the account used for setup to the
Organization Management role group
Joining an Existing Organization
Account should already have required rights to install Exchange 2010
via membership in Exchange Organization Administrators group, so no
other action is required there
Account is added as member to Organization Management role group
Exchange Organization Administrators group is added as member to
Organization Management role group
Exchange Recipient Administrators group is added as a member to the
Recipient Management role group
 55

Preventing Lockout
A lockout occurs when an administrator makes so many
changes to access control settings that they are no longer
able to manage access control
Administrators can make changes to certain built-in access
control components, but never to the point where a
complete lockout would occur
The level of access control required to manage RBAC is
always preserved
 What? Who?
RoleGroup
or USG

Role
Role
Assignment
Policy

Review
Role Individual
Entry
Role
Entry
Role Role Assignment
Entry
Role
Entry
Role
Entry Recipient Write Scope Recipient Read Scope
Role
Entry
Configuration Write Scope Configuration Read Scope

Where?
 53

[PS] C:\>New-ManagementRole -Name “Tier2 Helpdesk” -Parent “Mail Recipients”

[PS] C:\>Remove-ManagementRoleEntry -Identity “Tier2 Helpdesk\Connect-Mailbox”

[PS] C:\>New-RoleGroup -Name “Dallas Tier2 HelpDesk” -Roles “Tier2 HelpDesk”

-RecipientOrganizationalUnitScope contoso.com/dallas

Putting It All Together

[PS] C:\>New-RoleGroup -Name “Seattle Tier2 HelpDesk” -Roles “Tier2 HelpDesk”
-RecipientOrganizationalUnitScope contoso.com/seattle
 61

Implementation
Authorization Model
RBAC/Management Tool Interaction
 61

Authorization Model
The goal of RBAC is to:
Consistently enforce access control according to the management
roles assigned to each user
Prevent control from being bypassed except by those users that
already have high level administrative access.
RBAC relies on PowerShell version 2.0 and WinRM to
provide remote PowerShell through IIS
RBAC authorization code is incorporated into this implementation
All Exchange 2010 management tools connect through IIS
Remote PowerShell provides a server side runspace where
commands execute
This is where RBAC executes access control
 62

RBAC/Management Tool Interaction

 62

Exchange Management Tools

Exchange Server 2007 introduced two new management
interfaces:
Exchange Management Shell
Implemented in a different way for Exchange 2010
Exchange Management Console
Improved for Exchange Server 2010
Additional Exchange Tool Access Control Features
Per-user connection enable/disable
Users have to be enabled for remote PowerShell before they can
connect and execute tasks
Per-user throttling settings
Throttling settings are enforced by a policy to prevent users from
overwhelming an Exchange server
 64

RBAC in action: the Initial Session

 66

Executing Tasks with RBAC Enforcement

A user “sees” only tasks in the server-side runspace and
can only use the tasks where scope allows
This manifests differently depending on the interface
being used
Any commands that are included in the private area of the
runspace are hidden from the user
However, if a user has access to scripts that are part of
management role assignment, commands in the script that
are included in the private area of the runspace allow the
script to execute as expected
 67

Split Permissions
Split permissions is the separation of Exchange
management and Active Directory management.
Split permissions typically make a distinction between the
creation of security principals in Active Directory, such as
users and security groups, and the subsequent
configuration of those objects.
Exchange 2010 lets you choose between a shared
permissions model and a split permissions model.
Exchange 2010 defaults to a shared permissions model.
 67

RBAC and Active Directory

The RBAC model controls who can perform what actions,
and on which objects those actions can be performed
If RBAC allows an action, it is performed in the context of
the Exchange Trusted Subsystem (ETS) USG, and not the
user's context
All Exchange 2010 servers are members of the ETS group
The ETS is a member of the local administrator group on all
Exchange servers
The ETS is a member of the Exchange Windows Permissions USG
Exchange Windows Permissions grants permissions to create and
manage Domain recipient objects
ETS is a highly-privileged USG that has read and write
access to every Exchange-related object in the Exchange
organization!
 64

Shared Permissions
The shared permissions model allows Exchange
administrators using the Exchange management tools to
create security principals in Active Directory
These roles enable the creation of security principals:

Management Role Role Group

Mail Recipient Creation Organization Management
Recipient Management
Security Group Creation and Organization Management
Membership
 67

Lesson 3: Managing Exchange 2010 RBAC

 67

Lesson 3: Managing Exchange 2010 RBAC

After completing this lesson you will be able to:
Describe the tools and methods for configuration of all
RBAC components.
Understand how to gather and examine RBAC
configuration information.
 68

Managing Roles
Watch This: Role Management
Managing Roles using Exchange PowerShell commands
 68

Managing Roles using Exchange PowerShell commands

Get-ManagementRole
New-ManagementRole
Remove-ManagementRole
 68

Watch This: Role Management

 83

Managing Role Entries

Watch This: Role Entry Management
Managing Role Entries with Exchange PowerShell
Commands
 83
Managing Role Entries with Exchange PowerShell Commands

Get-ManagementRoleEntry
Add-ManagementRoleEntry
Set-ManagementRoleEntry
Remove-ManagementRoleEntry
 83

Watch This: Role Entry Management

 104

Managing Role Scopes

Watch This: Role Scope Management
Managing Role Scopes with Exchange PowerShell
Commands
 104
Managing Role Scopes with Exchange PowerShell Commands

Get-ManagementScope
New-ManagementScope
Set-ManagementScope
Remove-ManagementScope
 104

Watch This: Role Scope Management

 119

Managing Role Groups

Watch This: Role Group Management using EMS
Managing Role groups with Exchange PowerShell
Commands
Watch This: Role Group Management using ECP
Managing Role groups with Exchange Control Panel
 119
Managing Role groups with Exchange PowerShell Commands

Get-RoleGroup
New-RoleGroup
Set-RoleGroup
Remove-RoleGroup
Get-RoleGroupMember
Add-RoleGroupMember
Update-RoleGroupMember
Remove-RoleGroupMember
 119

Watch This: Role Group Management using EMS

 142

Managing Role groups with Exchange Control Panel

Web based interface for managing role group
membership
Exchange Control Panel - My Organization
Role Group Detail Information
Role Group Management
Manage Role Group Members
Role Group Members
 142

Watch This: Role Group Management using ECP

 148

Managing Role Assignments

Watch This: Role Assignment Management
Managing Role Assignments with Exchange PowerShell
Commands
 148
Managing Role Assignments with Exchange PowerShell Commands

Get-ManagementRoleAssignment
New-ManagementRoleAssignment
Set-ManagementRoleAssignment
Remove-ManagementRoleAssignment
 148

Watch This: Role Assignment Management

 174

Managing Role Assignment Policies

Watch This: Role Assignment Policy Management using
EMS
Managing Role Assignment Policies with Exchange
PowerShell Commands
Watch This: Role Assignment Policy Management using
ECP
Managing Role Assignment Policies with Exchange Control
Panel
 174
Managing Role Assignment Policies with Exchange PowerShell Commands

Get-RoleAssignmentPolicy
New-RoleAssignmentPolicy
Set-RoleAssignmentPolicy
Remove-RoleAssignmentPolicy
 174

Watch This: Role Assignment Policy

Management using EMS
 180

Watch This: Role Assignment Policy

Management using ECP
 191

Lesson 4: Diagnostics and Troubleshooting

 191

Lesson 4: Diagnostics and Troubleshooting

After completing this lesson you will be able to:
Describe the tools used to gather diagnostic information
about RBAC.
Analyze diagnostic information to identify RBAC problems.
Describe likely RBAC issues and troubleshooting strategies.
 192

RBAC Diagnostic Data Sources

RBAC Reporting
RBAC Diagnostic Logging
RBAC EXTRA Tracing
 192

RBAC Reporting
Most issues can be described in simple terms
Because there are many layers to RBAC, it is important to
gather the right information
If you know the task and user, you can gather the required
information
Use Get-ManagementRole with –Cmdlet to see a list of
roles
 194

Specialized Scripts
Exchange Management Shell makes it possible to create
powerful scripts for gathering diagnostic information
useful to troubleshooting RBAC issues.
Three sample scripts are included with this module to
demonstrate how these tools would be used.
Find-Assignee.ps1 - used to find users and group that have access
to the cmdlet and cmdlet parameter specified.
Compare-Roles.ps1 - used to compare the cmdlets made available
by two different management roles, generating a list of cmdlets
that are common to both roles, and a list of cmdlets that are
exclusive to each role.
Gather-RBACData.ps1 - used to gather a comprehensive report of
RBAC information for the user or group specified.
 194

RBAC Diagnostic Logging

Modifying logging levels may help you troubleshoot RBAC
issues that may occur.
There are five services that generate RBAC event logs:
MSExchange Configuration Cmdlet - Control Panel
MSExchange Configuration Cmdlet - Management Console
MSExchange Configuration Cmdlet - Management Shell
MSExchange Configuration Cmdlet - Management Web Service
MSExchange Configuration Cmdlet - Remote Management
For each service, there are two categories:
General- Events related to the operation of the management tasks
RBAC - Events specific to RBAC processing
 196

RBAC EXTRA Tracing

The Microsoft Exchange Troubleshooting Assistant can be
used to automatically determine what set of data is
required to troubleshoot symptoms that you identify.
These tags are available under the RBAC component:
Tag Description
AccessCheck AccessCheck trace messages are generated during evaluation of the current user context for purposes of
controlling access to RBAC administration actions including delegation or RBAC roles. For example, when
creating new management roles, removing or adding management role entries, and assigning
management roles.
AccessDenied Error: before throwing any AccessDenied exceptions. This happens in creation methods only. Non-critical
methods returning 'false' or 'null' on authz check requests (ones that do not throw) should use
PublicInstanceAPITracer.
Warning: if tracing on exit or AccessCheck.
Warning: if tracing logic or private method.
ADConfig ADConfig trace messages contain verbose data on every object and value RBAC reads from AD during the
configuration of the initial session. This includes enumeration of the current context's group
memberships, the roles assigned and the entries of each role.
IssBuilderDetail Initial session state build detail tracing.
PublicCreationAPI public static methods to instantiate ExchangeRunspaceConfiguration
PublicInstanceAPI public instance methods to calculate roles, scopes etc.
PublicPluginAPI Public plug-in process tracing.
RunspaceConfig Runspace configuration tracing
 194

Watch This: RBAC Troubleshooting

Lab: Scenario Based RBAC
 199

Lab: Scenario Based RBAC

Exercise 1: Managing RBAC
Exercise 2: Implementing Custom Management Roles
 205

Appendix
RBAC Application Log Events
RBAC Performance Counters
 Questions

103 1/1/2009 Microsoft Confidential - For Internal Use Only

 © 2009 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Microsoft Confidential - For Internal Use Only

Conditions and Terms of Use
Microsoft Confidential - For Internal Use Only

This training package content is proprietary and confidential, and is intended only for users described in the training materials. Content and
information designated for limited distribution is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or
disclosing all or any portion of the content and/or information included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether
express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-
infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft
must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

© 2009 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see “Use of Microsoft Copyrighted Content “at http://www.microsoft.com/about/legal/permissions/.
Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries. Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries. All other trademarks are property of their respective owners.