Useful Powershell Commands for Managing Roles

Here are some very helpful commands for handling RBAC issues I learned at Mike Pfeiffer’s blog.


Can this user modify this object?

This can be really helpful when you are troubleshooting permissions. If you need to verify that a member of your staff has write access to an object, use the following command syntax:”

Get-ManagementRoleAssignment -WritableRecipient administrator -GetEffectiveUsers | ?{$_.EffectiveUserName -eq “Mike Pfeiffer”}

Full at this link

See also this Technet blog link which provides background and design detail.


RBAC and the principle of least privilege

The principle of least privilege is an important design consideration in enhancing the protection of data and functionality from unintentional and/or malicious behavior.

Exchange Server 2010 aids such implementation of roles by using role-based access control (RBAC). However, in my professional experience, I have noticed that many deployments are not actually thought out to utilize the full potential of what RBAC has to offer. Most often, I see deployments where built-in RBAC roles are utilized and rarely customized to match the actual job roles of administrators. This mostly results in having too much access for the role.


full here

Managing Mobile Device Partnerships via PowerShell

Exchange 2010 offers a variety of methods for managing mobile devices.  You can use the Exchange Management shell, or the Exchange Control Panel and of course, PowerShell.


Recently I received a request to remotely wipe the mobile devices of two users (smart phones and tablets) and used the following quick and easy combination of PowerShell commands:

To see the status and IDs of a user’s mobile devices:

Get-ActiveSyncDevice –Mailbox “User Name” | Format-List Name

For a particular user one of the devices listed was named iPad§ApplDMPHFVZHDVGJ.

Using this ID I was able to start a remote wipe by issuing the following:

Clear-MobileDevice -Identity iPad§ApplDMPHFVZHDVGJ -NotificationEmailAddresses “”

As I’m sure you already know or have guessed, the -NotificationEmailAddresses option tells PowerShell where to send the command’s results.

If, instead of remote wiping I merely wanted to remove the device’s partnership with Exchange I could issue the following command:

Remove-ActiveSyncDevice -Identity iPad§ApplDMPHFVZHDVGJ