This content is part of the Essential Guide: The essential guide to PowerShell in Exchange
Problem solve Get help with specific problems with your technologies, process and projects.

An intro to Exchange 2013 RBAC management with PowerShell

New to Exchange 2013 RBAC management? You can use PowerShell cmdlets to verify role assignments and group memberships. Here's how.

In a previous tip, I outlined some basics for managing role based access control in Exchange 2013. The tip detailed the various administrative roles and best practices for role group management. PowerShell cmdlets are another integral part of managing RBAC. This tip details the commands necessary to verify role assignment and group memberships.

Let's start with a quick recap. As you know, RBAC is based on management roles. Management roles are tasks that can be performed by users who have been assigned specific roles. In most cases, users are assigned to a role group rather than to a specific management role. Role groups are collections of management roles.

Exchange Server 2013 contains about a dozen built-in role groups. To view the list of role groups, enter the Get-RoleGroup cmdlet (Figure 1).

Display the names of each Exchange 2013 role group
Figure 1. Use the Get-RoleGroup cmdlet to display the names of each role group in Exchange 2013.

Now, if you'd like to see which users have been assigned to specific role groups, you need to simply append a role group name to the Get-RoleGroup cmdlet, then pipe the results into the Get-RoleGroupMember cmdlet.

Look back at Figure 1. You can see that the first Exchange 2013 RBAC role group listed is "Organization Management." If you want to see which users are assigned to this group, use the Get-RoleGroup 'Organization Management' | Get-RoleGroupMember command (Figure 2).

Use PowerShell to view the members of a specific role group
Figure 2. Use PowerShell to view the members of a specific role group.

Another useful cmdlet is Get-ManagementRoleAssignment. If you enter this cmdlet as is, it returns a list of the various management role assignments. Since the list can prove overwhelming, it's helpful to use the Get-ManagementRoleAssignment cmdlet so that it retrieves a list of all the roles a user has been assigned.

Find out which Exchange 2013 roles a user has been assigned
Figure 3. Find out which Exchange 2013 roles a user has been assigned.

For example, if you want to know which management roles have been assigned to the built-in Administrator account, use the following command:

Get-ManagementRoleAssignment –GetEffectiveUsers | ?($_.EffectiveUserName –EQ "Administrator"} | Select Role

You can see the output from this command in Figure 3.

Again, though it's undoubtedly useful to have the option to determine which roles have been assigned to a user, the results list can be quite long. In Figure 3 for example, the list of role assignments was too long to even fit within a screen capture. Therefore, it can be useful to produce a list of the role groups an individual user has been assigned.

That said, Microsoft doesn't provide a cmdlet to retrieve Exchange 2013 RBAC role group membership. It can be accomplished, but you have to jump through a couple of hoops.

When we looked at the Get-ManagementRoleAssignment cmdlet, you saw that I matched the role assignment to the username. The username is essentially the user's alias. When it comes to finding out to which role groups a user belongs, you can't specify the username by its alias. Instead, you must specify the user by his Active Directory canonical name. This name is assembled by combining the domain name, OU name, and username in the following format: domain\ou\user

To see how this works, type the following command:

Get-RoleGroup 'Organization Management' | FL

This command will display the various attributes that can be referenced by the Get-RoleGroup cmdlet (Figure 4).

The Members attribute displays the canonical name format
Figure 4. The Members attribute displays the canonical name format.

As you can see, one of the attributes is "Members." The Members attribute contains one single user account (the built-in Administrator account). This account is expressed in canonical name format.

Now that you know how to express a username in canonical name format, the process of determining to which role groups a user belongs is as simple as entering the Get-RoleGroup cmdlet and filtering the results by matching the Members attribute against the name of the user you're looking for. For example, if I want to know to which role groups the built-in Administrator account belongs, I could enter the following command:

Use PowerShell to determine which role groups a user belongs to
Figure 5. You can use PowerShell to determine to which role groups a user belongs.

Get-RoleGroup | Where-Object {$_.Members –EQ 'Lab15/Users/Administrator'}

You can see the command's results in Figure 5.

About the author:
Brien Posey is a ten-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a chief information officer at a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Exchange Server setup and troubleshooting

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

We have Exchange 2013 RTM CU1 On-Premises now, this will be helpful Thanks :-)