Thursday, May 14, 2015

Which commans a Role Group Member can Execute

Hi folks,

Just wanted to quickly share with you one of the RBAC tricks in the Exchange 2010 or 2013. I will not go in to details on role groups, assignments, scopes and so on as it can all be read here.

These 2 strings of code create a report on what cmdlets members of a role group can execute and also scope where they can be executed.

I had to use the $RLGRP variable because when attempting to pipeline results of the Get-ManagementRoleAssignment cmdlet I would get error as below:

$RLGRP= Get-ManagementRoleAssignment  -RoleAssignee "Role Group Name"
$RLGRP |foreach {Get-ManagementRole $_.Role} |select Name,ImplicitRecipientReadScope,ImplicitRecipientWriteScope,ImplicitConfigReadScope,ImplicitConfigWriteScope,@{N="Role Entries";E={$_.RoleEntries}} |Export-Csv RlGrpCmdlets.csv

Successful execution of this code produces a nice Excel report.

And of course you will need to replace Role Group Name with something real from your environment.