Escolar Documentos
Profissional Documentos
Cultura Documentos
MCSM: Messaging
Bhargav Shukla
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only.
©2012 MCSM: Messaging Version 1.0, Updated 4/16/2013
Instructor Intro [with photo]
• Contact Info
• Blog – http://www.bhargavs.com
• Twitter - @bhargavs
• Email – contactme@bhargavs.com
• Bio
• Exchange & Lync MCM
• Director – Product Research &
Innovation @ KEMP Technologies
• Flight Sim Enthusiast
• Avid Model Airplane Crasher
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Module Overview
• Session Objectives
• Understand Role Based Access Control
• Administering Role Based Access Control
• Takeaways
• Effective RBAC planning and implementation
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Understanding RBAC
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab1
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab1 (Continued…)
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Introduction
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Exchange 2013 Administrative Tools
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Question
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Better than ACLs?
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
Users
Administrators
What?
Who?
Management
Role Group Assignment
Policy
Management
Role
Role
Assignment
Role Entries
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
Users
Administrators
What?
Who?
Management
Role Group Assignment
Policy
Management
Role
Role
Assignment
Role Entries
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• What – Roles/Cmdlets/Parameters
• Management Roles
• Group of cmdlets and parameters
• Defines a job role
• X pre-defined roles in Exchange 2013 CU1
• List all management roles
• Get-ManagementRole
• List End User Roles
• Get-ManagementRole | Where {$_.IsEndUserRole –eq $true}
• List Admin Roles
• Get-ManagementRole | Where {$_.IsEndUserRole –eq $false}
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• What – Roles/Cmdlets/Parameters
• Management Role Entries
• Represents individual cmdlet and it’s parameters
• List Role Entries for a role
• Get-ManagementRoleEntry “RoleName\*”
• You can select cmdlets or parameters using appropriate switch
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• What – Roles/Cmdlets/Parameters
• Creating new management roles
• Parent-Child hierarchy
• Built-In roles serve as a parent
• Existing custom roles can also be used to create new roles
• New “child” roles can be modified
• Can remove entries
• Can’t add entries parent role doesn’t have
• In general, every new role must be created from existing role
• There are always exceptions
• More on that later
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• What – Roles/Cmdlets/Parameters
• Creating new management roles (Continued…)
• An example
• New-ManagementRole –Name “Custom Role” –Parent “Recipient
Policies”
• Get-ManagementRoleEntry “Custom Role\*”
• Get-ManagementRoleEntry “Custom Role\*” | Where {$_.name –ne
“Get-CASMailbox”} | Remove-ManagementRoleEntry
• Get-ManagementRoleEntry “Custom Role\*”
• Add-ManagementRoleEntry “Custom Role\Get-ActiveSyncDevice”
• Get-ManagementRoleEntry “Custom Role\*”
• Add-ManagementRoleEntry “Custom Role\Get-Mailbox”
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• What – Roles/Cmdlets/Parameters
• Creating new management roles (Continued…)
• The exception - “Unscoped Top Level” role
• As the name implies:
• No scope can be assigned
• No parent can be assigned
• Creates an empty role container
• Must be member of “Unscoped Role Management” role to
create one
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab2
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
Users
Administrators
What?
Who?
Management
Role Group Assignment
Policy
Management
Role
Role
Assignment
Role Entries
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• Where – Self/OU/Scope
• Defined by RBAC management scope
• Inherited from parent if none specified
• Can be defined during role assignment
• Can be created using New-ManagementScope cmdlet
• OPATH filters used to define Recipient or Server
restrictions
• Use ServerList to define server scopes
• Use RecipientRoot to define OU scope
• Use Exclusive to block inheritance
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• Where – Self/OU/Scope
• What is the expected result of the following cmdlets?
Why?
• New-ManagementScope –Name “Test” –RecipientRoot
“fabrikam.com/Users” -RecipientRestrictionFilter {RecipientType
-eq "UserMailbox"}
• New-RoleGroup “Test-Helpdesk" -Roles “View-Only Recipients"
-CustomRecipientWriteScope “Test"
• Can’t assign a scope outside of implicit scope
boundaries
• Implicit scope for “View-Only Recipients” does not allow any
modifications
• Custom scope is allowing modifications
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
Users
Administrators
What?
Who?
Management
Role Group Assignment
Policy
Management
Role
Role
Assignment
Role Entries
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• Who – Admins/Users
• Role Assignees
• Can be direct assignment to a user
• Commonly assignments are created for a group
• Role Assignments for Administrators
• Role Assignment Policies for End Users
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• Who – Admins/Users
• Role Group Members
• Role groups located within “Microsoft Exchange Security
Groups” OU in AD
• New-RoleGroup cmdlet creates a new USG in the OU
• *-RoleGroupMember cmdlets allow manipulation of Role Group
memberships
• Use BypassSecurityGroupManagerCheck parameter to override
owner as admin or to manage Security Distribution Groups
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Question
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
Users
Administrators
What?
Who?
Management
Role Group Assignment
Policy
Management
Role
Role
Assignment
Role Entries
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Components
• Role assignment
• Glue to connect Who/Where/What
• New-ManagementRoleAssignment
• Role and Group are required
• Scope is optional
• If no scope defined, assignment inherits scope from role
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Question
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 3
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
RBAC Under the covers
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Question
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 4
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions
Shared Permission Model
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions
Shared Permission Model
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Split Permissions
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Troubleshooting RBAC
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Troubleshooting
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Troubleshooting
• Handy one-liners
• Get-ManagementRoleAssignment –Role “Organization
Configuration” –GetEffectiveUser –Delegating $False | FL
Name, RoleAssigneeName, EffectiveUserName,
AssignmentChain
• Get-ManagementRoleAssignment –WriteableRecipient
Administrator –GetEffectiveUsers
• WriteableRecipient is the object in question
• EffectiveUsers are the ones who are able to modify the object
based on their role assignments
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Troubleshooting
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 5
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 5 (Continued…)
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Lab 6
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Summary
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Role Based Access Control
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013
Q&A
©2013 Microsoft Corporation. All rights reserved. MCSM NDA Confidential. Do not distribute. For individual readiness purposes only. MCSM: Messaging- Version 1.0, Updated 4/16/2013