RBAC: Remote Scripts

  • [アーティクル]

Ever wanted to execute commands on Exchange server other than built-in Exchange cmdlet in remote powershell session?

Exchange 2013 onwards RBAC model introduced "Unscoped Role Management" management role which allows creating management role without specifying parent role. Beside putting only cmdlets (management entries) inside management role, unscoped role allows assigning scripts as a management entry.

This topic will address following scenario:

  1. Administrator have access only to Exchange remote PowerShell over Internet,
  2. Administrator needs to have ability to execute Get-Service cmdlet only on Exchange servers.

I have already prepared Get-Service.ps1 script and it is available for download. Note: Details how to create proxy script Will be covered in one of the upcoming posts.

Copy script Get-Service.ps1 in { Exchange Install Path }\RemoteScripts (usually "C:\Program Files\Microsoft\Exchange Server\V15\RemoteScripts")

Now it's time to create unscoped management role and assign coresponding management entry.

 New-ManagementRole -Name "HelpDesk Scripts" -UnScopedTopLevel -Description "Role will contain HelpDesk scripts"
Add-ManagementRoleEntry "HelpDesk Scripts\Get-Service.ps1" -UnScopedTopLevel -Parameters Name, ComputerName, ShowOnlyExchangeServices

Management role must be linked to role group which leads you to two options:

  1. Create new role group,
  2. Link management role to existing role group.

In this example I'll link management role to the existing "Organization Management" role group:

 New-ManagementRoleAssignment -Name "HelpDesk Scripts - Organization Management" -SecurityGroup "Organization Management" -Role "HelpDesk Scripts"

After all steps are done, create new session to the remote Exchange shell and you should see Get-Service.ps1 script included in remote commands:

 Get-Command Get-Service.ps1 | Select-Object Name, Source

Name            Source
----            ------
Get-Service.ps1 tmp_smlv3kdj.nfc

Get-Service.ps1 -ShowOnlyExchangeServices

Status   Name               DisplayName
------   ----               -----------
Running  MSExchangeADTop... Microsoft Exchange Active Directory...
Running  MSExchangeAntis... Microsoft Exchange Anti-spam Update
Running  MSExchangeDagMgmt  Microsoft Exchange DAG Management
Running  MSExchangeDelivery Microsoft Exchange Mailbox Transpor...
Running  MSExchangeDiagn... Microsoft Exchange Diagnostics
Running  MSExchangeEdgeSync Microsoft Exchange EdgeSync
Running  MSExchangeFastS... Microsoft Exchange Search
Running  MSExchangeFront... Microsoft Exchange Frontend Transport
Running  MSExchangeHM       Microsoft Exchange Health Manager
Stopped  MSExchangeImap4    Microsoft Exchange IMAP4
Stopped  MSExchangeIMAP4BE  Microsoft Exchange IMAP4 Backend
Running  MSExchangeIS       Microsoft Exchange Information Store
Running  MSExchangeMailb... Microsoft Exchange Mailbox Assistants
Running  MSExchangeMailb... Microsoft Exchange Mailbox Replication
Stopped  MSExchangePop3     Microsoft Exchange POP3
Stopped  MSExchangePOP3BE   Microsoft Exchange POP3 Backend
Running  MSExchangeRepl     Microsoft Exchange Replication
Running  MSExchangeRPC      Microsoft Exchange RPC Client Access
Running  MSExchangeServi... Microsoft Exchange Service Host
Running  MSExchangeSubmi... Microsoft Exchange Mailbox Transpor...
Running  MSExchangeThrot... Microsoft Exchange Throttling
Running  MSExchangeTrans... Microsoft Exchange Transport
Running  MSExchangeTrans... Microsoft Exchange Transport Log Se...
Running  MSExchangeUM       Microsoft Exchange Unified Messaging
Running  MSExchangeUMCR     Microsoft Exchange Unified Messagin...

This feature is available only for on-premise Exchange 2013 onwards.

Get-Service

Comments

  • Anonymous
    May 18, 2016
    wow