案例:要求子域管理员只能在子域的邮件系统中具有维护通讯组成员身份(子域范围内)的权利,即只能修改通讯组的成员关系,不能创建删除通讯组,不能有对整个组织的通讯组成员有相应的权限。
方法:可以通过RBAC来进行权限的设定,具体设置步骤如下:
1. 由于默认的Role权限比较大,需要建立新的Role以便得到相应的权限:
New-ManagementRole -Parent "Distribution Groups" -Name "Edit Distribution Group"
New-ManagementRole -Parent "Security Group Creation and Membership" -Name "Edit Security Group"
2. 根据要求对默认的role权限进行客制化删除对通讯组的添加删除功能:
Get-ManagementRoleEntry " Edit Distribution Group *Remove*" | Remove-ManagementRoleEntry
Get-ManagementRoleEntry " Edit Distribution Group *New*" | Remove-ManagementRoleEntry
Get-ManagementRoleEntry " Edit Security Group Remove-distributiongroup " | Remove-ManagementRoleEntry
Get-ManagementRoleEntry " Edit Security Group New-distributiongroup" | Remove-ManagementRoleEntry
3. 创建 recipient filter scope
New-ManagementScope -Name "Scope of users" -RecipientRestrictionFilter { EmailAddresses -Like "*a.local*" } -RecipientRoot "a.local"
4. 创建一个 Role Group
New-RoleGroup -Name " Edit Distribution Role Group" -Roles "Edit Distribution Group", "Edit Security Group" -CustomRecipientWriteScope "Scope of users"
5. 添加授权的用户到 role group
Add-RoleGroupMember -Identity "DGRoleGroup" -Member "user1" "group1"
之后user1和group1就有权限可以通过Exchange management shell 和ECP来编辑该子域的通讯组,但不能添加和删除通讯组。