Hi,
I have defined a role group and they have some permission on some databases in some organizational units
but my problem is that they have two permissions which i do not like and should be removed from role entries, they can set a forwarder on mailboxes (which is definitely bad) and also can send as the mailboxes in the corresponding OU (which they have access)
so, which entries (parameters or full) should be removed in order to disable these options for them :
Thanks
the current entries are :
(As you can see i do not see any entries or entry parameters such as DeliverToMailboxAndForward , ForwardingAddress , ForwardingSmtpAddress , GrantSendOnBehalfTo which i think are related to this issue)
--------------------------------------------------------
RoleEntries : {(Microsoft.Exchange.Management.PowerShell.E2010) Set-Mailbox -AcceptMessagesOnlyFrom -AcceptMessagesOnlyFromDLMembers -AcceptMessagesO
nlyFromSendersOrMembers -Alias -AntispamBypassEnabled -ApplyMandatoryProperties -Arbitration
-ArbitrationMailbox -ArchiveDomain -Archiv
eName -ArchiveQuota -ArchiveStatus -ArchiveWarningQuota -BypassModerationFromSendersOrMembers
-CalendarRepairDisabled -CalendarVersionS
toreDisabled -Confirm -CustomAttribute1 -CustomAttribute10 -CustomAttribute11 -CustomAttribute12
-CustomAttribute13 -CustomAttribute14
-CustomAttribute15 -CustomAttribute2 -CustomAttribute3 -CustomAttribute4 -CustomAttribute5
-CustomAttribute6 -CustomAttribute7 -CustomA
ttribute8 -CustomAttribute9 -Debug -DisplayName -DomainController -DowngradeHighPriorityMessagesEnabled
-EmailAddresses -EmailAddressPo
licyEnabled -EndDateForRetentionHold -ErrorAction -ErrorVariable -ExternalOofOptions
-Force -HiddenFromAddressListsEnabled -Identity -I
gnoreDefaultScope -ImmutableId -IssueWarningQuota -Languages -LinkedCredential -LinkedDomainController
-LinkedMasterAccount -Litigation
HoldDate -LitigationHoldEnabled -LitigationHoldOwner -MailTip -MailTipTranslations
-ManagedFolderMailboxPolicy -ManagedFolderMailboxPol
icyAllowed -MaxBlockedSenders -MaxSafeSenders -MessageTrackingReadStatusEnabled -ModeratedBy
-ModerationEnabled -Name -Office -OfflineA
ddressBook -OutBuffer -OutVariable -PrimarySmtpAddress -RecoverableItemsQuota -RecoverableItemsWarningQuota
-RejectMessagesFrom -Reject
MessagesFromDLMembers -RejectMessagesFromSendersOrMembers -RemoteRecipientType -RemoveManagedFolderAndPolicy
-RemovePicture -RemoveSpok
enName -RequireSenderAuthenticationEnabled -ResourceCapacity -ResourceCustom -RetainDeletedItemsFor
-RetainDeletedItemsUntilBackup -Ret
entionComment -RetentionHoldEnabled -RetentionPolicy -RetentionUrl -RoleAssignmentPolicy
-RulesQuota -SamAccountName -SCLDeleteEnabled
-SCLDeleteThreshold -SCLJunkEnabled -SCLJunkThreshold -SCLQuarantineEnabled -SCLQuarantineThreshold
-SCLRejectEnabled -SCLRejectThresho
ld -SecondaryAddress -SendModerationNotifications -SharingPolicy -SimpleDisplayName
-SingleItemRecoveryEnabled -StartDateForRetentionHo
ld -ThrottlingPolicy -Type -UseDatabaseQuotaDefaults -UseDatabaseRetentionDefaults
-UserCertificate -UserPrincipalName -UserSMimeCertif
icate -Verbose -WarningAction -WarningVariable -WhatIf -WindowsEmailAddress, (Microsoft.Exchange.Management.PowerShell.E2010)
Clear-Act
iveSyncDevice -Cancel -Confirm -Debug -DomainController -ErrorAction -ErrorVariable
-Identity -NotificationEmailAddresses -OutBuffer -O
utVariable -Verbose -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010)
Connect-Mailbox -ActiveSy
ncMailboxPolicy -Alias -Archive -Confirm -Database -Debug -DomainController -Equipment
-ErrorAction -ErrorVariable -Identity -LinkedCre
dential -LinkedDomainController -LinkedMasterAccount -ManagedFolderMailboxPolicy -ManagedFolderMailboxPolicyAllowed
-OutBuffer -OutVari
able -RetentionPolicy -Room -Shared -User -ValidateOnly -Verbose -WarningAction -WarningVariable
-WhatIf, (Microsoft.Exchange.Managemen
t.PowerShell.E2010) Disable-MailUser -Confirm -Debug -DomainController -ErrorAction
-ErrorVariable -Identity -IgnoreDefaultScope -OutBu
ffer -OutVariable -Verbose -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010)
Disable-Mailbox -A
rbitration -Archive -Confirm -Debug -DisableLastArbitrationMailboxAllowed -DomainController
-ErrorAction -ErrorVariable -Identity -Igno
reDefaultScope -OutBuffer -OutVariable -RemoteArchive -Verbose -WarningAction -WarningVariable
-WhatIf, (Microsoft.Exchange.Management.
PowerShell.E2010) Disable-RemoteMailbox -Archive -Confirm -Debug -DomainController
-ErrorAction -ErrorVariable -Identity -IgnoreDefault
Scope -OutBuffer -OutVariable -Verbose -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010)
Disabl
e-ServiceEmailChannel -Confirm -Debug -DomainController -ErrorAction -ErrorVariable
-Identity -OutBuffer -OutVariable -Verbose -Warning
Action -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010)
Enable-MailUser -Alias -Confirm -Debug -DisplayName -
DomainController -ErrorAction -ErrorVariable -ExternalEmailAddress -Identity -MacAttachmentFormat
-MessageBodyFormat -MessageFormat -Ou
tBuffer -OutVariable -PrimarySmtpAddress -UsePreferMessageFormat -Verbose -WarningAction
-WarningVariable -WhatIf, (Microsoft.Exchange.
Management.PowerShell.E2010) Enable-Mailbox -ActiveSyncMailboxPolicy -Alias -Arbitration
-Archive -ArchiveDatabase -ArchiveDomain -Arch
iveGuid -ArchiveName -Confirm -Database -Debug -Discovery -DisplayName -DomainController
-Equipment -ErrorAction -ErrorVariable -Force
-Identity -LinkedCredential -LinkedDomainController -LinkedMasterAccount -ManagedFolderMailboxPolicy
-ManagedFolderMailboxPolicyAllowed
-OutBuffer -OutVariable -PrimarySmtpAddress -RemoteArchive -RetentionPolicy
-RoleAssignmentPolicy -Room -Shared -Verbose -WarningActio
n -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Enable-RemoteMailbox
-Alias -Archive -ArchiveName –Confirm -Debug -DisplayName -DomainController -Equipment -ErrorAction -ErrorVariable -Identity -OutBuffer -OutVariable -PrimarySmtpAddress -Re
moteRoutingAddress -Room -Verbose -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010)
Enable-Serv
iceEmailChannel -Confirm -Debug -DomainController -ErrorAction -ErrorVariable -Identity
-OutBuffer -OutVariable -Verbose -WarningAction
-WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Get-ADServerSettings
-Debug -ErrorAction -ErrorVariable -Ou
tBuffer -OutVariable -Verbose -WarningAction -WarningVariable, (Microsoft.Exchange.Management.PowerShell.E2010)
Get-AcceptedDomain -Dom
ainController -ErrorAction -ErrorVariable -Identity -OutBuffer -OutVariable -Verbose
-WarningAction -WarningVariable, (Microsoft.Exchan
ge.Management.PowerShell.E2010) Get-ActiveSyncDevice -Debug -DomainController -ErrorAction
-ErrorVariable -Filter -Identity -Mailbox -O
rganizationalUnit -OutBuffer -OutVariable -ResultSize -SortBy -Verbose -WarningAction
-WarningVariable, (Microsoft.Exchange.Management.
PowerShell.E2010) Get-ActiveSyncDeviceStatistics -Debug -DomainController -ErrorAction
-ErrorVariable -GetMailboxLog -Identity -Mailbox
-NotificationEmailAddresses -OutBuffer -OutVariable -ShowRecoveryPassword -Verbose
-WarningAction -WarningVariable, (Microsoft.Exchang
e.Management.PowerShell.E2010) Get-ActiveSyncMailboxPolicy -Debug -DomainController
-ErrorAction -ErrorVariable -Identity -OutBuffer -O
utVariable -Verbose -WarningAction -WarningVariable...}