First requirement - limiting access to PowerShell commands

As we reviewed in a previous section, out-of-office settings are managed by just two commands:

Get-Command *MailboxAutoReply* | select Name

Name 
---- 
Get-MailboxAutoReplyConfiguration
Set-MailboxAutoReplyConfiguration

To limit access to just these commands, we need to identify a role that includes them as a starting point for our new role. To identify the role, we will search for role entries that include either of these commands. We rely on the Get-ManagementRoleEntry command with a wildcard to include all applicable entries. To keep the results simple, we used a unique filter, but we had to make sure both the Get and Set verbs are included.

Get-ManagementRoleEntry **MailboxAutoReplyConfiguration | Sort-Object
 -Property Role -Unique | Select 

Name                              Role 
----                              ---- 
Set-MailboxAutoReplyConfiguration Mail Recipients 
Set-MailboxAutoReplyConfiguration MyBaseOptions 
Set-MailboxAutoReplyConfiguration User Options 
Get-MailboxAutoReplyConfiguration View-Only Recipients

Based on the results, we have four potential role candidates. Since we want to read and write, we immediately discard the View-Only Recipients role (which only has the Get verb). We also discard the MyBaseOptions role since the My prefix indicates that the scope is Self and therefore will not work in our administrator scenario.

To select between the two remaining roles, we will review their properties:

PS C:> Get-ManagementRole | Where { $_.Name -in @("Mail Recipients","User Options") } | Select Name, Description, RoleEntries | fl

Name : Mail Recipients

Description : This role enables administrators to manage existing mailboxes, mail users, and mail contacts in an organization. This role can't create these recipients. Use MailRecipientCreation roles to create them.
 This role type doesn't enable you to manage mail-enabled public folders or distribution groups. Use the MailEnabledPublicFolders and DistributionGroup roles to manage these objects. 
 If your organization has a split permissions model where recipient creation and management are performed by different groups, assign the MailRecipientCreation roles to the group that performs recipient 
 creation and the MailRecipients roles to the group that performs recipient management.

RoleEntries : {SetUserPhoto, (Microsoft.Exchange.Management.Powershell.Support) Set-FocusedInbox -FocusedInboxOn -Identity, (Microsoft.Exchange.Management.Powershell.Support) Set-Clutter -CleanUpClutter -Enable 
 -ErrorAction -ErrorVariable -Identity -OutBuffer -OutVariable -WarningAction -WarningVariable, (Microsoft.Exchange.Management.Powershell.Support) Get-FocusedInbox -Identity...}

Name : User Options

Description : This role enables administrators to view the Outlook Web App options of a user in an organization. This role can be used to help diagnose configuration problems.

RoleEntries : {(Microsoft.Exchange.Management.Powershell.Support) Set-Clutter -CleanUpClutter -Enable -ErrorAction -ErrorVariable -Identity -OutBuffer -OutVariable -WarningAction -WarningVariable, 
 (Microsoft.Exchange.Management.Powershell.Support) Get-Clutter -ErrorAction -ErrorVariable -Identity -OutBuffer -OutVariable -WarningAction -WarningVariable, 
 (Microsoft.Exchange.Management.PowerShell.E2010) Write-AdminAuditLog -Comment -Confirm -ErrorAction -ErrorVariable -OutBuffer -OutVariable -WarningAction -WarningVariable -WhatIf, 
 (Microsoft.Exchange.Management.PowerShell.E2010) Stop-UMPhoneSession -Confirm -ErrorAction -ErrorVariable -Identity -OutBuffer -OutVariable -WarningAction -WarningVariable -WhatIf...}

Either role would work in this case, but we will choose Mail Recipients since it has fewer role entries. The next step is to create a role that inherits from Mail Recipients , and then we will remove all the role entries that do not apply (leaving only entries for the two commands we want the administrators to have access to):

New-ManagementRole -Name "Out of the Office Admins" -EnabledCmdlets
 @("Set-MailboxAutoReplyConfiguration", "Get-MailboxAutoReplyConfiguration") -Parent "Mail Recipients"

Name                     RoleType 
----                     -------- 
Out of the Office Admins MailRecipients

Get-ManagementRoleEntry "Out of the Office Admins*"

Name                           Role Parameters 
----                           ---- ---------- 
Get-MailboxAutoReplyConfigu... Out of the Office Admins {ErrorAction, ErrorVariable, Identity...
Set-MailboxAutoReplyConfigu... Out of the Office Admins {AutoDeclineFutureRequestsWhenOOF, ...

Note that we made use of the-EnabledCmdlets parameter, which at the time of writing this, is not documented. Before this parameter was available, you would have to filter and remove role entries after the role was created.

To finish the role setup, we will remove the -ExternalMessage parameter from the Set command so that admins are not allowed to set the external message of the out-of-office settings:

Set-ManagementRoleEntry -Identity "Out of the Office AdminsSet-MailboxAutoReplyConfiguration" -Parameters "ExternalMessage"
 -RemoveParameter

Get-ManagementRoleEntry "Out of the Office AdminsSet-MailboxAutoReplyConfiguration" | Select -ExpandProperty Parameters

AutoDeclineFutureRequestsWhenOOF
...
EndTime
ErrorAction
ErrorVariable
EventsToDeleteIDs
ExternalAudience
Identity
...
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.40.189