Useful Powershell Commands for Managing Roles

Here are some very helpful commands for handling RBAC issues I learned at Mike Pfeiffer’s blog.

changing_husbands092

Can this user modify this object?

This can be really helpful when you are troubleshooting permissions. If you need to verify that a member of your staff has write access to an object, use the following command syntax:”

Get-ManagementRoleAssignment -WritableRecipient administrator -GetEffectiveUsers | ?{$_.EffectiveUserName -eq “Mike Pfeiffer”}

Full at this link

See also this Technet blog link which provides background and design detail.

Excerpt:

RBAC and the principle of least privilege

The principle of least privilege is an important design consideration in enhancing the protection of data and functionality from unintentional and/or malicious behavior.

Exchange Server 2010 aids such implementation of roles by using role-based access control (RBAC). However, in my professional experience, I have noticed that many deployments are not actually thought out to utilize the full potential of what RBAC has to offer. Most often, I see deployments where built-in RBAC roles are utilized and rarely customized to match the actual job roles of administrators. This mostly results in having too much access for the role.

[…]

full here

Managing Mobile Device Partnerships via PowerShell

Exchange 2010 offers a variety of methods for managing mobile devices.  You can use the Exchange Management shell, or the Exchange Control Panel and of course, PowerShell.

our-gang-christmas-small

Recently I received a request to remotely wipe the mobile devices of two users (smart phones and tablets) and used the following quick and easy combination of PowerShell commands:

To see the status and IDs of a user’s mobile devices:

Get-ActiveSyncDevice –Mailbox “User Name” | Format-List Name

For a particular user one of the devices listed was named iPad§ApplDMPHFVZHDVGJ.

Using this ID I was able to start a remote wipe by issuing the following:

Clear-MobileDevice -Identity iPad§ApplDMPHFVZHDVGJ -NotificationEmailAddresses “username@domain.com”

As I’m sure you already know or have guessed, the -NotificationEmailAddresses option tells PowerShell where to send the command’s results.

If, instead of remote wiping I merely wanted to remove the device’s partnership with Exchange I could issue the following command:

Remove-ActiveSyncDevice -Identity iPad§ApplDMPHFVZHDVGJ