Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
The Help Desk management role group is one of several built-in role groups that make up the Role Based Access Control (RBAC) permissions model in Microsoft Exchange Server 2010. Role groups are assigned one or more management roles that contain the permissions required to perform a given set of tasks. The members of a role group are granted access to the management roles assigned to the role group. For more information about role groups, see Understanding Management Role Groups.
Users who are members of the Help Desk role group can perform limited recipient management of Microsoft Exchange Server 2010 recipients.
The Help Desk role group, by default, enables members to view and modify the Outlook Web App options of any user in the organization. These options might include modifying the user's display name, address, phone number, and so on. They don't include options that aren't available in Outlook Web App options, such as modifying the size of a mailbox or configuring the mailbox database on which a mailbox is located.
The members of this role group can only modify the Outlook Web App options that the user can modify. This means that if a user can modify his or her display name, a member of the Help Desk role group can also modify that user's display name. However, if another user isn't allowed to modify his or her display name, a member of the Help Desk role group can't modify that user's display name.
Caution: |
---|
The limitations on which Outlook Web App options a member of the Help Desk role group can modify are enforced by the Exchange Web interface. If a member of the Help Desk role group has access to the Exchange Management Shell, he or she can modify any Outlook Web App option for any user. You should carefully consider who you make a member of the Help Desk role group and whether they should also be given access to the Shell. |
The Help Desk role group doesn't enable any other tasks because there are so many different types of organizations. Instead, you can add management roles to this role group to create a Help Desk role group that matches the needs of your organization. For example, if you want members of the Help Desk role group to be able to manage mailboxes, mail contacts, and mail-enabled users, assign the Mail Recipients management role to this role group. For more information about how to add management roles to this role group, see the "Role Group Customization" section later in this topic.
For more information about RBAC, see Understanding Role Based Access Control.
Role Group Membership
If you want to add or remove members to or from this role group, see the following topics:
By default, only members of the Organization Management role group can add or remove members from this role group. For more information about how to add additional role group delegates, see Add or Remove a Role Group Delegate.
You can use the following command to view a list of users or universal security groups (USGs) that are members of this role group.
Copy Code | |
---|---|
Get-RoleGroupMember "Help Desk" |
For more information about the members of a role group, see View the Members of a Role Group.
Role Group Customization
This role group is assigned management roles by default. The roles that are included are listed in the "Management Roles Assigned to this Role Group" section. You can add or remove role assignments to or from this role group to match the needs of your organization.
The role groups provided with Exchange 2010 are designed to match more granular tasks. By assigning roles to a role group, you enable the members of that role group to perform the tasks associated with the role. For example, the Journaling role enables the management of the Journaling agent and journaling rules. For more information about how roles are assigned to role groups, see Understanding Management Role Assignments.
The roles assigned to this role group are given default management scopes. Management scopes determine what Exchange objects can be viewed or modified by the members of a role group. You can change the scopes associated with assignments between roles and role groups. For example, you might want to do this if you only want members of a role group to be able to change recipients that are under a specific organizational unit or in a specific location. For more information about management scopes, see Understanding Management Role Scopes.
For more information about how to customize this role group, see the following topics:
- Add a Role
to a Role Group
- Remove a
Role from a Role Group
- Add Members
to a Role Group
- Remove
Members from a Role Group
- Change the
Scope of Role Assignments to a Role Group
If you want to create a role group and assign some of the roles that are assigned to this role group to the new role group, see Create a Role Group.
Management Roles Assigned to This Role Group
The following table lists all the management roles that are assigned to this role group and the following attributes of each role assignment:
- Regular assignment Enables members of
the role group to access the management role entries made available
by the associated management role.
- Delegating assignment Gives members of
the role group the ability to assign the specified role to other
role groups, role assignment policies, users, or USGs.
- Recipient read scope Determines what
recipient objects members of the role group are allowed to read
from Active Directory.
- Recipient write scope Determines what
recipient objects members of the role group are allowed to modify
in Active Directory.
- Configuration read scope Determines
what configuration and server objects members of the role group are
allowed to read from Active Directory.
- Configuration write scope Determines
what organizational and server objects members of the role group
are allowed to modify in Active Directory.
For more information about role assignments and management scopes, see the following topics:
Management roles assigned to this role group
Management role | Regular assignment | Delegating assignment | Recipient read scope | Recipient write scope | Configuration read scope | Configuration write scope |
---|---|---|---|---|---|---|
X |
|
|
|
|
|
|
X |
|
|
|
|
|