exchange server 2010 management tools v1
DESCRIPTION
Exchange Server 2010 Management Tools presentationTRANSCRIPT
Exchange 2010 Management Tools
NameTitleMicrosoft Corporation
Exchange 2010 InvestmentsSimplify Administration
• Empower Specialist Users to Perform Specific Tasks with Role-based Administration− Compliance Officer - Conduct Mailbox Searches for
Legal Discovery− HR Officer - Update Employee Info in Company
Directory
• Lower Support Costs Through New User Self-Service Options− Track Status of sent messages− Create and Manage Distribution Lists
The annual cost of helpdesk support staff for e-mail systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization. (“Email Support Staff Requirements and Costs: A Survey of 136 Organizations”, Ferris Research, June 2008).
Exchange 2010 ManagementWhat's New?• New Exchange Management Console features
• Exchange Control Panel (ECP)− New and simplified web based management console− Targeted for end users, hosted tenants, and specialists
• Role Based Access Control (RBAC)− New authorization model− Easy to delegate and customize− All Exchange management clients (EMS, EMC, ECP) use
RBAC• Remote PowerShell
− Manage Exchange remotely using PowerShell v2.0− Note: No more local PowerShell, it's all remote in
Exchange 2010
Exchange Management Console (EMC)Improvements• Built on Remote PowerShell and RBAC• Multiple Forest Support• Cross-premises Exchange
Management− Including Mailbox Moves
• Recipient Bulk Edit• PowerShell Command Logging• New feature support
− For Example: High Availability
Exchange Management Console
demo
Exchange Control Panel (ECP)What is it?• A browser based Management client
for end users, administrators, and specialists
• Simplified user experience for common management tasks
• Accessible directly via URL, OWA & Outlook 14
• Deployed as a part of the Client Access Server role
• RBAC aware
Exchange Control PanelWho will use it?
• Specialists−Administrators can delegate to specialists
e.g. Help Desk Operators, Department Administrator, and eDiscovery Administrators
• End Users−Comprehensive self service tools for End
Users
• Hosted Customers−Tenant Administrators
Exchange Control PanelWhat It Looks Like
Primary Navigati
on
UI Scope Control
Secondary
Navigation
Slab
Exchange Control Panel
demo
ECP Architecture Overview• High Level View
− AJAX-based− Shares some code with OWA, but
two separate applications− Deployed on Client Access Server− ECP ASP.Net RBAC PowerShell− Authentication
− Windows Integrated, Basic, Forms Based
• Browser support - Same as OWA premium− IE− Firefox− Safari
Web Browser
ECP Client Library
AJAX
Client Access Server
HTTP.SYS (IIS)
LiveId/FBA Auth
PowerShell
Exchange Cmdlets
RBAC
ECP Server Library
ECP Architecture OverviewRole Based Access Control
• Users shouldn't have access to message tracking− Message tracking tab
doesn't show up in ECP
• Users can edit mailboxes, but not create new ones− "New Mailbox" button
hidden
• Users can edit display name but not Department
− Department field visible but read-only
RBAC in Exchange 2010
• RBAC has replaced the permission model used in Exchange 2007
• Your “role” is defined by “what you do”
• Define precise or broad roles and assignments based on the tasks that need to be performed
• Includes Self Administration• Used by EMC, EMS and ECP
RoleGroup/USG
Who can do What… and Where?
Role Assignment
Policy
Role EntryCmdlet: Param1
Param2Param3
Role EntryCmdlet: Param1
Param2Param3
<Role Entry>Cmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write
Scope
Configuration Read Scope
What?
Where?
Who?
Admins End-Users
Role Assignment
Who can do What… and Where?
RoleGroup/USG Role
Assignment Policy
Role EntryCmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write
Scope
Configuration Read Scope
What?
Where?
Who?
Admins End-Users
Role Assignment
New-ManagementRoleAssignmentGet-ManagementRoleAssignmentSet-ManagementRoleAssignmentRemove-ManagementRoleAssignment
Add-RoleGroupMemberRemove-RoleGroupMember
New-RoleAssignmentPolicyRemove-RoleAssignmentPolicy
Who can do What… and Where?
Role Assignment
Policy
Role EntryCmdlet: Param1
Param2Param3
Role EntryCmdlet: Param1
Param2Param3
<Role Entry>Cmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write
Scope
Configuration Read Scope
What?
Where?
Who?
Admins End-Users
Role Assignment
OrganizationManagement<All Roles>
ViewOnlyOrgManagement<All Roles View-Only>
RecipientManagementPasswordManagementMailRecipientManagementDistributionGroupManagement…
UMManagementUMServerManagementUMRecipientManagement…
DiscoveryManagementMailboxSearchManagementLegalholdManagement
RoleGroupAssigned Roles
New-RoleGroupSet-RoleGroupGet-RoleGroupRemove-RoleGroup
RoleGroup/USG
Who can do What… and Where?
RoleGroup/USG Role
Assignment Policy
Role EntryCmdlet: Param1
Param2Param3
Role
Recipient Write Scope
Recipient Read Scope
Configuration Write
Scope
Configuration Read Scope
What?
Where?
Who?
Admins End-Users
Role Assignment
New-ManagementRoleAssignment –Name Sales-RecipMgt …-RecipientOrganizationalUnitScope “OU=Sales,CN=Users…”
New-ManagementScope –Name Sales-Recipients-RecipientRestrictionFilter “(Department –eq ‘Sales’)”
New-ManagementScope –Name Euro-Servers -ServerRestrictionFilter “(Name –like ‘EuroMBX*’)”
New-ManagementScope –Name VIP-Recipients-RecipientRestrictionFilter ((Title –eq ‘CEO’) –or (Title –eq ‘CIO’)-Exclusive
•Exclusive scopes take effect immediately
•Access is granted through Role Assignment to an Exclusive Scope
Custom Management Roles
• Custom Roles can be added to suit specific delegation requirements− Roles are hierarchical, with built-in role at the
top− Role Entries can only be removed from a role
1. Create the management role
2. Change the new role's management role entries (by removing role entries)
3. Create a management scope (if required)
4. Assign the new management role
Custom Management RolesWhat does it look like?
New-ManagementRole -Name “eDiscovery-Sales” –Parent DiscoveryManagement
New-ManagementScope –Name “Sales Mailboxes” –DomainRestrictionFilter “(RecipientType –eq ‘UserMailbox’)” –DomainRoot “OU=Sales,DC=contoso,DC=Com”
New-ManagementRoleAssignment –Name “RA-Sales eDiscovery Administrators” –User “USG-Sales eDiscovery Admins” -Role “eDiscovery-Sales” –DomainScopeRestriction “Sales Mailboxes”
Role Based Access Control
demo
RBAC Role Delegation
• Role membership is not a right to delegate
• RoleAssignment Delegation− Special kind of Role Assignment
− Delegation does not grant role permissions
• RoleGroup Delegation− Controlled through RoleGroup ownership
− ManagedBy parameter similar to DGs (Multi-Valued)
− Ownership does not grant RoleGroup permissons
RBAC Permissions Reporting
Get-ManagementRoleAssignment
• Effective Roles for a User• Effective Users by Role/Scope/Group• Effective permissions to a Writable Object
Remote PowerShellNew management architecture for PowerShell in Exchange 2010
• Allows Role-based Access Control (RBAC) model− Restricted Runspace allows RBAC to hide cmdlets and
parameters
• Client / Server separation− Remote PowerShell is always used to connect “remotely” to
localhost
− Enables firewall and cross-forest scenarios
• “No Binaries” scenarios− Exchange-cmdlet management from a client machine which does
not have Exchange Management Tools (Exchange binaries) installed
Remote PowerShellHow does it work?
IIS
WSMan +RBAC stack:
Authorization
PSv2 RBACServer
Runspace
> New-Mailbox –Name Bob
PSv2 Client
RunspaceErik
Erik: Role AssignmentNew-Mailbox -NameGet-MailboxSet-Mailbox -Name
Cmdlets Available in Runspace:New-PSSession
> New-PSSession –URI https://server.fqdn.com/PowerShell/
Remote Cmdlets Available in Runspace:New-Mailbox -NameGet-MailboxSet-Mailbox -Name
Exchange Server
IIS: Authentication
Active Directory
Cmdlets Available in Runspace:New-Mailbox -NameGet-MailboxSet-Mailbox -Name
[Bob Mailbox Object in Pipeline]
Remote PowerShellHow Do I Use It?
$UserCredential = Get-Credential
$rs = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<Exchange 2010 servername>/powershell –Credential $UserCredential
Import-PSSession $RS
Remote PowerShell
demo
Summary• Role Based Access Control
− RBAC used as the permissions model− Enables the definition of broad or precise roles and
assignments, based on the actual roles administrators perform
• Exchange Control Panel− Provides a new way to administer a subsets of Exchange
features− Provides a great self provisioning portal
• Remote Powershell− Uses familiar Exchange cmdlets− Allows administration without the Exchange management
tools − Provides a firewall friendly management access
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.