Friday, 12 August 2011

Role-Based Access Control (RBAC) Exchange 2010 Legal Hold and Discovery Search

RBAC can be used to allow administrators to perform a specific exchange task by being assigned a management role that has permissions to perform the task. Administrators can be assigned these roles directly, or multiple roles can be grouped together into management role groups. Management role groups are infact AD universal security groups. As you will see however, Exchange administrators should NOT be added to these groups using AD tools directly!

Each management role consists of management role entries. A management role entry is an EMS cmdlet or a script that users in a management role can execute.

For a list of management roles, type the following cmdlet:

[PS] Get-ManagementRole | Get-ManagentRoleEntry

The list you will see has quite a few roles!

If you take just one role for example, say ‘databases’ you will begin to see what's involved:

[PS] Get-ManagementRole –Identity Databases | Get-ManagementRoleEntry


So, users are assigned a management role (that can execute scripts that are defined by management role entries) by being assigned to a management role group. This can be very useful. For example we can create a management role group that only allows users to create exchange recipients. After we create the group and add users, management role(s) are then assigned to the group.

Several role groups exist in Exchange 2010 by default.

[PS] Get-RoleGroup


If we take a single role group for example ‘Help Desk’

[PS] Get-RoleGroup –Identity “Help Desk” | fl

The will list associated parameters for this group.


As you can see from the above screenshot, the roles assigned to the Help Desk management role group are shown. These are ‘User Options’ and ‘View Only’. You can also see under role assignments that it shows that these roles are assigned to help-desk! These default role groups can be found in AD in the Microsoft Exchange Security Groups

To add users to the role group of Help Desk use the following cmdlet:

[PS] Add-RoleGroupMember –Identity “Help Desk”  -Member “Andrew Stevens”

This will add Andrew Stevens to the Help Desk role group. To determine the membership of the management role group try the following:

[PS] Get-RoleGroupMember -Identity "Help Desk"

This is great if the Help Desk group has the needed management roles assigned to it. From the screenshot above this includes management roles of “User Options” and View-only Recipients”.

User Options is a management role with the following management role entries, determined by typing the following:

[PS] Get-ManagementRole -Identity "User Options" | Get-ManagementRoleEntry


View-Only Recipients is a management role with the following management role entries, determined by typing the following:

[PS] Get-ManagementRole -Identity "View-only Recipients" | Get-ManagementRoleEntry


So you can see what Andrew Stevens can do having been placed in the Help Desk group.


You can also customize a role group to contain the roles that you need if you find the default roles assigned to a group do not fit correctly. If you find yourself changing the roles assigned to the default groups beyond recognition you might as well create a new group.

So, to add a role to an existing group try the following:

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk" -Role "MailBox Import Export"

Now type the following again to determine the roles now ‘held’ by the Help Desk group:

[PS] Get-RoleGroup –Identity “Help Desk” | fl

You will notice that the RoleAssignments has changed to include Mailbox Import Export!

To remove the assignment type the following:

[PS] Remove-ManagementRoleAssignment -Identity "Mailbox Import Export-Help Desk"

If you need to you can create a role group from scratch. Lets create a role group called London Help Desk and assign roles to the group:

[PS] New-RoleGroup "Help Desk London" -Roles "User Options","View-Only Recipients"

Try the Get-RoleGroup cmdlet and you should see it listed.

So far the London help Desk team have the role of View-Only recipients and User Options. This is no different to the default Help Desk assignments. However you can add to it

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk London" -Role "MailBox Import Export"


Legal Hold

An interesting role is Legal Hold. A legal hold in Exchange 2010 will keep e-mails even if the user tries to delete them. Note, the user will think the e-mail is deleted. The only way to actually see the e-mails is by doing a discovery search, and opening the discovery mailbox.

The legal hold role has the following assignments:

[PS] Get-RoleGroup | Where-Object {$_.roleassignments -match "Legal Hold"}

The output will show you that both Organization and Discovery Management groups have this role by default.

To grant our London Help Desk team Legal Hold type the following cmdlet:

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk London" –Role “Legal Hold”

Type the following cmdlet for confirmation:

[PS] Get-RoleGroup | Where-Object {$_.roleassignments -match "Legal Hold"}

You should now see Help Desk London listed.

To turn this feature on we need to enable it for specific mailboxes. First you must have the role to do so. As mentioned, those in the Organization Management (and Discovery Management) have the Legal Hold role assigned. If you are doing this as a Domain Administrator then you are a member of Organization Management already.

[PS] Get-RoleGroup -Identity "Organization Management" | ft name,members

Now, determine which recipients you wish to define Legal Hold to and type the following:

[PS] Set-Mailbox –Identity “A User” –LitigationHoldEnabled $True

To check to see which mailbox has been enabled, type the following cmdlet:

[PS] Get-Mailbox  | ft name,lit* –au


Performing a Discovery Search

You can still find and open the deleted emails using a discovery search. A discovery search can be made against any organisation mailbox (not just those on litigation hold). Here’s what happens:

  1. User deletes a message.
  2. The message moves to a 'Deleted Items' folder. At this point the user can see the deleted messages and can move the deleted message back to the inbox. This is known as a 'soft delete'. Messages can also be moved to the 'dumpster' by emptying the deleted items folder.This is a 'hard delete'.
  3. Message moves to the 'Dumpster'. This removes the message from view. Deleted item retention is 14 days by default. Users can still recover items by using the recover deleted items tool (right click deleted items in OWA and select 'recover deleted items')
  4. If the end user purges data from the "Recover Deleted Items" view (hard delete from the Recoverable Items\Deletions folder), the item will be moved to the Recoverable Items\Purges folder. The purges folder is a special folder that sits within the dumpster. The user will not be able to see the deleted message from this folder. However administrators granted the rights to perform 'discovery searches' can search through the purges folder and restore deleted items.

Enabling Litigation Hold means that items never will be purged from the “Purges” subfolder, which of course results mailboxes growing considerably in size over time!

To perform a discovery search perform the following steps:

1. Perform a discovery search for the item you need to restore. This first involves navigating a browser to https://servername/ecp. This is on the CAS role (ecp is the exchange control panel). In Figure 1, the user ‘Al Pacino’ is in the LegalAdmins role group. This group has been assigned the roles ‘User Options and View-only Recipients’ (which is the same as the default Help Desk role). At this point Al cannot perform a discovery search and this is his ECP view (only Users & Groups). 


2. Assign the Mailbox Search role to the LegalAdmins group using the following cmdlet: [PS] New-ManagementRoleAssignment -SecurityGroup LegalAdmins -Role "Mailbox Search"


3. The above screenshot shows us the ECP view after applying this step. You can now see that the ‘Reporting’ link is shown. Select this link.


4. After you select this link you should see a similar view as shown above. Remember that you can also add a user to the Discovery Management role group instead of creating a group and assigning roles to it.

Select 'New'.


5. As you can see there are a number of search methods. Select mailbox to search and select the user mailbox that has purged deleted items.

6. Provide a search name

7. Select 'Select a mailbox in which to store the search results' and choose the 'Discovery Search Mailbox' and click save.

8. After the search has completed (you may have to refresh) select the link that says open by the results output on the right hand side.

9. If you cant open the discovery search mailbox, you will need to grant the user access to it by typing in the following:

[PS] Add-MailboxPermission DiscoverySearchMailbox -User al -AccessRights FullAccess
NB. I changed the alias of the mailbox to this simpler name

10. You should now be able to open the discovery search mailbox. Once opened, navigate on the left to the search name and open the sent\deleted items folder. You should be able to find the item that was purged.

NB. If you wish you can create a new discovery search mailbox by using the following cmdlet:

[PS] New-Mailbox "HelpDeskDiscovery" -UserPrincipalName –Discovery.

[PS] Add-MailboxPermission HelpDeskDiscovery -User al -AccessRights FullAccess


In the above example, our test user Al, can perform the discovery search and open the discovery search mailbox to find deleted items.

No comments:

Post a Comment