Here's a post on creating a custom Management Role Group for a 1st Line support desk using the following blog entry as guidance:
http://msexchangeteam.com/archive/2009/11/16/453222.aspx
The customer requirement is:
1st Line should be able to create mailboxes / mail contacts / mail users and disable them but must not be able to remove them. They will not be doing mailbox moves or any Public Folder management. The pre-canned Recipient Management role therefore doesn’t fit the bill as they would have too many rights. The scope is the whole Organization, which is the default scope anyway.
Step 1 – Determine what to base your new custom role on. I chose Recipient Management.
Step 2 – Examine what Management Roles you want from that Role Group. I opted for Mail Recipient Creation, Mail Recipients & Recipient Policies as these are appropriate from the list (BTW, I got the list from ECP/Administrator Roles):
Recipient Management
Members of this management role group have rights to create, manage and remove Exchange recipient objects in the Exchange organization.
Assigned roles:
..........Distribution Groups
..........Mail Enabled Public Folders
..........Mail Recipient Creation
..........Mail Recipients
..........Message Tracking
..........Migration
..........Move Mailboxes
..........Recipient Policies
Step 3 – Examine the Management Roles and determine what Management Role Entries you want to keep (Management Role Entries are the cmdlets that can be performed if you have this Management Role assigned to you) . These cmdlets help you:
Get-ManagementRoleEntry "Mail Recipient Creation\*" | select Name | out-file c:\support\Mail_Recipient_Creation.txt
Get-ManagementRoleEntry "Mail Recipients\*" | select Name | out-file c:\support\Mail_Recipients.txt
Get-ManagementRoleEntry "Recipient Policies\*" | select Name | out-file c:\support\Recipient_Policies.txt
Here is an example of the Management Role Entries (this is the one for Recipient Policies):
Write-AdminAuditLog
Set-ThrottlingPolicyAssociation
Set-ThrottlingPolicy
Set-OwaMailboxPolicy
Set-ActiveSyncMailboxPolicy
Remove-ThrottlingPolicy
Remove-OwaMailboxPolicy
Remove-ActiveSyncMailboxPolicy
New-ThrottlingPolicy
New-OwaMailboxPolicy
New-ActiveSyncMailboxPolicy
Get-ThrottlingPolicyAssociation
Get-OwaMailboxPolicy
Get-DomainController
Get-DetailsTemplate
Get-CASMailbox
Get-ActiveSyncMailboxPolicy
I examined them (with the client) and we came up with a list of things to keep. Most things apart from ‘remove’ and stuff to do with ‘RemoteMailbox’.
Step 4 – Create new Management Roles that are children of existing roles:
New-ManagementRole -Name "1stLineMailRecipientCreation" -Parent "Mail Recipient Creation"
New-ManagementRole -Name "1stLineMailRecipients" -Parent "Mail Recipients"
New-ManagementRole -Name "1stLineRecipientPolicies" -Parent "Recipient Policies"
Step 5 – Strip the new Management Roles of all Management Role Entries apart from one (it is a requirement to keep at least one):
Get-ManagementRoleEntry "1stLineMailRecipientCreation\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "1stLineMailRecipients\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "1stLineRecipientPolicies\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Step 6 – Add in the Management Role Entries selected in Step 3 above. I put them into a ps1 file and the three attachments to this message include the cmdlets for doing this. Here are examples of three cmdlets from the scripts (I could have put all of them into one ps1 file, but this is complicated enough already):
Add-ManagementRoleEntry "1stLineMailRecipientCreation\New-Mailbox"
Add-ManagementRoleEntry "1stLineMailRecipients\Set-User"
Add-ManagementRoleEntry "1stLineRecipientPolicies\New-ActiveSyncMailboxPolicy"
Step 7 – Create a new Role Group (called “1st Line”) and add the new Management Roles to it:
New-RoleGroup "1st Line" -Roles 1stLineMailRecipientCreation,1stLineMailRecipients,1stLineRecipientPolicies –Description “Members of this group can create new mailboxes”
I can now see the new Role Group in ECP (see below).
In AD you’ll also find it in the Microsoft Exchange Security Groups OU (see below).
It sounds simple now that I read this, but it took a couple of hours to get to this point, so this post is as much to remind me the next time as it is to save you the hassle of working out how to do it.