Permissions
- Create a designated domain user (for example, siq_xch).
- Assign the following user Exchange groups:
- Recipients Management
- Records Management
- Public Folders Management
-
From PowerShell on the CAS run the following:
Set-User [username] -RemotePowerShellEnabled $True
Fine-Grained Permissions
Exchange allows for creating custom admin roles, and this can be used to grant File Access Manager service account the minimum privileges they need.
Each of these admin roles will grant privileges to a specific set of cmdlets.
Listed below are the cmdlets we use sorted by service type:
BAM
-
Get-ExchangeServer
-
Set-AdminAuditLogConfig
-
Search-MailboxAuditLog
-
Set-Mailbox
-
Get-Mailbox
-
Get-User
Crawler
-
Get-Mailbox
-
Get-MailboxStatistics
-
Get-MailboxFolderStatistics
-
Get-PublicFolder
PC
-
Get-ExchangeServer
-
Get-Group
-
Get-User
-
Get-Mailbox
-
Get-MailboxPermission
-
Get-MailboxFolderPermission
-
Get-MailboxFolderStatistics
-
Get-ADPermission
-
Get-PublicFolder
-
Get-PublicFolderClientPermission
Using those as reference and following PowerShell commands, create and assign the needed roles:
BAM
New-ManagementRole -Name "FIleAccessManager Activities View-Only Recipients" -Parent "View-Only Recipients" -EnabledCmdlets Get-User,Get-Mailbox
New-ManagementRole -Name "FileAccessManager Activities Audit Logs" -Parent "Audit Logs" -EnabledCmdlets Set-Mailbox,Search-MailboxAuditLog,Set-AdminAuditLogConfig
New-ManagementRole -Name "FileAccessManager Activities View-Only Config" -Parent "View-Only Configuration" -EnabledCmdlets Get-ExchangeServer
New-RoleGroup -Name "FileAccessManager Activities Role Group" -Roles "FIleAccessManager Activities View-Only Recipients","FileAccessManager Activities Audit Logs","FileAccessManager Activities View-Only Config"
Add-RoleGroupMember -Identity "FileAccessManager Activities Role Group" -Member <domain\activities_user>
Crawler and PC
New-ManagementRole -Name "FileAccessManager Crawl And Permissions View-Only Recipients" -Parent "View-Only Recipients" -EnabledCmdlets Get-Mailbox,Get-MailboxStatistics,Get-MailboxFolderStatistics,Get-PublicFolder,Get-Group,Get-User,Get-MailboxPermission,Get-MailboxFolderPermission,Get-PublicFolderClientPermission
New-ManagementRole -Name "FileAccessManager Crawl And Permission View-Only Config" -Parent "View-Only Configuration" -EnabledCmdlets Get-ExchangeServer,Get-ADPermission
New-RoleGroup -Name "FileAccessManager Crawl And Permissions Role Group" -Roles "FileAccessManager Crawl And Permissions View-Only Recipients","FileAccessManager Crawl And Permission View-Only Config"
Add-RoleGroupMember -Identity "FileAccessManager Crawl And Permissions Role Group" -Member <domain\crawl_user>
Another option to having all permissions assigned to a single user:
All
New-ManagementRole -Name "FIleAccessManager View-Only Recipients" -Parent "View-Only Recipients" -EnabledCmdlets Get-User,Get-Mailbox,Get-MailboxStatistics,Get-MailboxFolderStatistics,Get-PublicFolder,Get-Group,Get-MailboxPermission,Get-MailboxFolderPermission,Get-PublicFolderClientPermission
New-ManagementRole -Name "FileAccessManager Audit Logs" -Parent "Audit Logs" -EnabledCmdlets Set-Mailbox,Search-MailboxAuditLog,Set-AdminAuditLogConfig
New-ManagementRole -Name "FileAccessManager View-Only Config" -Parent "View-Only Configuration" -EnabledCmdlets Get-ExchangeServer,Get-ADPermission
New-RoleGroup -Name "FileAccessManager Group" -Roles FIleAccessManager View-Only Recipients","FileAccessManager Audit Logs","FileAccessManager View-Only Config"
Add-RoleGroupMember -Identity "FileAccessManager Group" -Member <domain\user>