Role Based Access Control (RBAC) enables us to control the level of administrative control granted to IT staff and users in an Exchange organization. Exchange Server 2010 and later versions ship with a number of built-in role groups that we can make use of without having to create our own custom RBAC roles.
For example, Organization Management is a powerful group that grants almost complete administrative control over an Exchange organization, whereas Help Desk is a more limited role that only allows some recipient management tasks to be performed.
Hopefully you’re already making good use of the built-in RBAC roles, or creating your own custom roles, instead of simply granting all of your IT staff Organization Management privileges. Even so, from time to time it is a good idea to review your RBAC role group membership to verify that IT staff have the minimum required access.
I’ve written a simple PowerShell script that will enumerate the membership of the role groups in an Exchange organization and produce a report listing the user accounts that are members of each group, as well as other interesting information such as whether the users are enabled or disabled, and how long ago they changed their password. It can be alarming to discover that an Organization Management role group member hasn’t changed their password in several years.
Run the script from a server or workstation that has the Exchange management tools installed. The script also relies on some cmdlets from the Active Directory PowerShell module, so that also needs to be installed on the system.
There are no parameters or switches required, simply run the script from PowerShell.
PS C:\Scripts\RBAC> .\Get-RBACGroupMemberReport.ps1
Some progress information is output to the console as it runs.
A CSV file is produced for each group that contains one or more members, as well as a Summary.csv file.
The Summary.csv file will show you the count of members per group, including enabled/disabled user counts.
The CSV file for each role group will also show you which users are enabled/disabled, and the age of their passwords.
Use this script to regularly review your RBAC role group membership and keep your Exchange organization secure.
Feedback and questions are welcome in the comments below.