Permissions

  • Create a designated domain user (for example, siq_xch).
  • Assign the following user Exchange groups:
    • Recipients Management
    • Records Management
    • Public Folders Management
  • From PowerShell on the CAS run the following:

    Set-User [username] -RemotePowerShellEnabled $True

Fine-Grained Permissions

Exchange allows for creating custom admin roles, and this can be used to grant File Access Manager service account the minimum privileges they need.

Each of these admin roles will grant privileges to a specific set of cmdlets.

Listed below are the cmdlets we use sorted by service type:

BAM

  • Get-ExchangeServer

  • Set-AdminAuditLogConfig

  • Search-MailboxAuditLog

  • Set-Mailbox

  • Get-Mailbox

  • Get-User

Crawler

  • Get-Mailbox

  • Get-MailboxStatistics

  • Get-MailboxFolderStatistics

  • Get-PublicFolder

PC

  • Get-ExchangeServer

  • Get-Group

  • Get-User

  • Get-Mailbox

  • Get-MailboxPermission

  • Get-MailboxFolderPermission

  • Get-MailboxFolderStatistics

  • Get-ADPermission

  • Get-PublicFolder

  • Get-PublicFolderClientPermission

Using those as reference and following PowerShell commands, create and assign the needed roles:

BAM

New-ManagementRole -Name "FIleAccessManager Activities View-Only Recipients" -Parent "View-Only Recipients" -EnabledCmdlets Get-User,Get-Mailbox

New-ManagementRole -Name "FileAccessManager Activities Audit Logs" -Parent "Audit Logs" -EnabledCmdlets Set-Mailbox,Search-MailboxAuditLog,Set-AdminAuditLogConfig

New-ManagementRole -Name "FileAccessManager Activities View-Only Config" -Parent "View-Only Configuration" -EnabledCmdlets Get-ExchangeServer

New-RoleGroup -Name "FileAccessManager Activities Role Group" -Roles "FIleAccessManager Activities View-Only Recipients","FileAccessManager Activities Audit Logs","FileAccessManager Activities View-Only Config"

Add-RoleGroupMember -Identity "FileAccessManager Activities Role Group" -Member <domain\activities_user>

Crawler and PC

New-ManagementRole -Name "FileAccessManager Crawl And Permissions View-Only Recipients" -Parent "View-Only Recipients" -EnabledCmdlets Get-Mailbox,Get-MailboxStatistics,Get-MailboxFolderStatistics,Get-PublicFolder,Get-Group,Get-User,Get-MailboxPermission,Get-MailboxFolderPermission,Get-PublicFolderClientPermission

New-ManagementRole -Name "FileAccessManager Crawl And Permission View-Only Config" -Parent "View-Only Configuration" -EnabledCmdlets Get-ExchangeServer,Get-ADPermission

New-RoleGroup -Name "FileAccessManager Crawl And Permissions Role Group" -Roles "FileAccessManager Crawl And Permissions View-Only Recipients","FileAccessManager Crawl And Permission View-Only Config"

Add-RoleGroupMember -Identity "FileAccessManager Crawl And Permissions Role Group" -Member <domain\crawl_user>

 

Another option to having all permissions assigned to a single user:

All

New-ManagementRole -Name "FIleAccessManager View-Only Recipients" -Parent "View-Only Recipients" -EnabledCmdlets Get-User,Get-Mailbox,Get-MailboxStatistics,Get-MailboxFolderStatistics,Get-PublicFolder,Get-Group,Get-MailboxPermission,Get-MailboxFolderPermission,Get-PublicFolderClientPermission

New-ManagementRole -Name "FileAccessManager Audit Logs" -Parent "Audit Logs" -EnabledCmdlets Set-Mailbox,Search-MailboxAuditLog,Set-AdminAuditLogConfig

New-ManagementRole -Name "FileAccessManager View-Only Config" -Parent "View-Only Configuration" -EnabledCmdlets Get-ExchangeServer,Get-ADPermission

New-RoleGroup -Name "FileAccessManager Group" -Roles FIleAccessManager View-Only Recipients","FileAccessManager Audit Logs","FileAccessManager View-Only Config"

Add-RoleGroupMember -Identity "FileAccessManager Group" -Member <domain\user>