Role Based Access Control (RBAC) enables us to control the level of administrative control granted to IT staff and users in an Exchange organization. Exchange Server 2010 and later versions ship with a number of built-in role groups that we can make use of without having to create our own custom RBAC roles.

For example, Organization Management is a powerful group that grants almost complete administrative control over an Exchange organization, whereas Help Desk is a more limited role that only allows some recipient management tasks to be performed.

Hopefully you’re already making good use of the built-in RBAC roles, or creating your own custom roles, instead of simply granting all of your IT staff Organization Management privileges. Even so, from time to time it is a good idea to review your RBAC role group membership to verify that IT staff have the minimum required access.

I’ve written a simple PowerShell script that will enumerate the membership of the role groups in an Exchange organization and produce a report listing the user accounts that are members of each group, as well as other interesting information such as whether the users are enabled or disabled, and how long ago they changed their password. It can be alarming to discover that an Organization Management role group member hasn’t changed their password in several years.

You can download Get-RBACGroupMemberReport.ps1 from TechNet or Github.

Run the script from a server or workstation that has the Exchange management tools installed. The script also relies on some cmdlets from the Active Directory PowerShell module, so that also needs to be installed on the system.

There are no parameters or switches required, simply run the script from PowerShell.

PS C:\Scripts\RBAC> .\Get-RBACGroupMemberReport.ps1

Some progress information is output to the console as it runs.

get-rbacgroupmembership-01

A CSV file is produced for each group that contains one or more members, as well as a Summary.csv file.

get-rbacgroupmembership-02

The Summary.csv file will show you the count of members per group, including enabled/disabled user counts.

get-rbacgroupmembership-03

The CSV file for each role group will also show you which users are enabled/disabled, and the age of their passwords.

get-rbacgroupmembership-04

Use this script to regularly review your RBAC role group membership and keep your Exchange organization secure.

Feedback and questions are welcome in the comments below.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Roy

    Hello,

    can the script be executed under an exchange 2016 environnment or does it need some minor changes to work?

    Thanks

  2. Moe Davila

    Hello,

    Do you have a similar script for Exchange online?

    TY in advance!

    MD

  3. Tom

    I’m getting an error running the script. Windows 10 with Exchange 2010 Management Tools. Script is able to connect to my exchange server and the script displays the AD Forest and the AD DC. Then, the following error appears:
    The type initializer for ‘Microsoft.Exchange.Diagnostics.ExTraceConfiguration’ threw an exception.
    +CategoryInfo: Operation Stopped: (:String [], PSRemotingTransportException
    +FullyQualifiedErrorId: JobFailure
    +PSComputerName:

    Then, script displays Finished. The script barely stays on screen long enough to get this error screenshot so I can investigate, and all google searches didn’t provide me with an adequate solution.

  4. Anson

    Is there a way to receive the results as email? I am planning to create a task in task scheduler for this but would be nice to receive the results as email to the admin.

    1. Paul Cunningham

      Short answer, yes.

      Longer answer, you’ll need to look at how to send email using PowerShell. It doesn’t take long to learn, and some of my other scripts have that code in them that you could re-use.

      1. sudhakar

        How to detect an azure role was created and the name does not start with ” RABC -” (the dash have a space before and after ) i need power shell script

  5. Alan

    Stupid question, but where are the csv files produced by this script?

    1. Alan

      Answered my own question – in the directory where the script was run. I think we should be prompted by the script for the destination location instead of defaulting to the current directory. I am not a script-er at all, so if these comments are out in left field, then let’s just leave them there.

  6. Nathaniel

    Its start then I get a Powershell has stopped working:

    Problem Event Name: PowerShell
    NameOfExe: powershell.exe
    FileVersionOfSystemManagementAutomation: 6.2.9200.16398
    InnermostExceptionType: System.NullReferenceException
    OutermostExceptionType: System.TypeInitializationException
    DeepestPowerShellFrame: unknown
    DeepestFrame: oft.Exchange.Diagnostics.SystemTraceControl.Update
    ThreadName: unknown
    OS Version: 6.1.7601.2.1.0.16.7
    Locale ID: 1033
    Read our privacy statement online:
    http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409
    If the online privacy statement is not available, please read our privacy statement offline:
    C:Windowssystem32en-USerofflps.txt

    I had also made sure to add ‘Import-Module ActiveDirectory’ for the AD PS commands to work.

  7. Denise Cole

    The script works great, except I am getting a referral error because it is searching against a root domain contoso.com and a child domain sales.contoso.com for get-aduser. Since I’m not a scripting guru, I was wondering if there was a way to edit this for the domain/subdomain scenario?

    1. Paul Cunningham

      It’s already written to handle multi-domain forests. What error do you see?

    2. Craig Batten

      Hi Denise

      In the line:
      $RoleGroupMembers = @(Get-ADGroupMember $RoleGroup.Name -Server $rootDC -Recursive | Get-ADUser -Properties CanoniCalName,DisplayName,SamAccountName,UserPrincipalName,Enabled,PasswordLastSet)

      Add: -Server $rootDC”:3268″ in get ADUser

      e.g.

      $RoleGroupMembers = @(Get-ADGroupMember $RoleGroup.Name -Server $rootDC -Recursive | Get-ADUser -Server $rootDC”:3268″ -Properties CanoniCalName,DisplayName,SamAccountName,UserPrincipalName,Enabled,PasswordLastSet)

      Global Catalog (Catalogue) knows all!

      🙂

  8. Billy Hietbrink

    Hi Paul, Nice script. Just something I had to change, I needed to add ‘Import-Module ActiveDirectory’ for the AD PS commands to work. Also, I’ve tested this on an Exchange 2010 server running on Windows 2008 R2. After adding the additional module, everything seems to work fine. Thanks for the script :).

Leave a Reply