Archive

Archive for December, 2013

Adding ActiveSync Management Rights to the Recipient Administrators Group

December 9, 2013 Leave a comment

If you are using my ActiveSync Power Administrator, or just using the ECP to manage ActiveSync devices, you may have found it difficult to assign your helpdesk staff the appropriate rights to use these tools. Logically, you would think that the Recipient Management role group should have the correct rights to perform these tasks. The reality is that the Organization Management group is the only default role group that has the appropriate default management roles; Organization Client Access and Mail Recipients. You certainly don’t want to assign your helpdesk staff to the Organization Management group. You could create a custom role group but even assigning the Organization Client Access and Mail Recipients managements roles would assign too many permissions.

The solution to this problem is to not only create a custom role group, but also to create custom management roles, which only contain the required powershell commands. To allow someone who is already in the Recipient Administrators group to use the ActiveSync Power Administrator, they need permission to run the following commands:

Get-CASMailbox

Set-CasMailbox

Clear-ActiveSyncDevice

Get-ActiveSyncDeviceStatistics

Remove-ActiveSyncDevice

The first thing we need to do is create our custom management roles, which are based on the two default roles that have the required commands. To do that, run the following commands:

New-ManagementRole "ActiveSync Admin 1" -Parent "Mail Recipients

New-ManagementRole "ActiveSync Admin 2" -Parent "Organization Client Access"

The next step is to remove all the commands we don’t need. To do that, run the following commands:

Get-ManagementRole "ActiveSync Admin 1" | Get-ManagementRoleEntry | where { $_.name -ne "Clear-ActiveSyncDevice" -and $_.name -ne "Get-ActiveSyncDeviceStatistics" -and $_.name -ne "Remove_ActiveSyncDevice" } | Remove-ManagementRoleEntry

Get-ManagementRole "ActiveSync Admin 2" | Get-ManagementRoleEntry | where { $_.name -ne "Get-CASMailbox" -and $_.name -ne "Set-CASMailbox" } | Remove-ManagementRoleEntry

Now we need to create the new role group:

New-RoleGroup -Name "ActiveSync Management" -Roles "ActiveSync Admin1","ActiveSync Admin1"

Finally, we add the Exchange Recipient Administrators group to the new role group:

Add-RoleGroupMember -Identity "ActiveSync Management" -Member "Exchange Recipient Administrators"

Your recipient administrators should now be able to manage ActiveSync devices with the least amount of permissions.

Advertisements