Configuring Permissions for the Regional Exchange Admins over powershell
Split permissions model strictly separate the rights to manipulate Exchange attributes to only these users objects, for which is the respective administrator responsible. In our configuration, the RegionAdmins security group is responsible only to manipulate objects in specific Region Active Directory container. This group must not be able to change Exchange attributes on user objects in another OU containers. Also for the spec. OU like Region Users and Groups containers inside spec Region OU have to be the rights granted, because this containers can contain accounts (which can have mailboxes) or distribution groups. Administrators of Exchange attributes must be able to view all the required settings in an Exchange Organization. For this purpose, they have to be members of Exchange View-Only Administrators.
To grant the required permissions according to the Split Permissions model, we have to use the Exchange Management Shell console. There is a script located in the
%ProgramFiles%\Microsoft\Exchange Server\Scripts directory
that can help you to configure the split permissions model. This script configures automatically the ability to manipulate the required Exchange permissions inside the OU container (for Recipient, Contact and Group objects).
Using the Exchange Management Shell, you can run the following script:
ConfigureSplitPerms.ps1 -User „User or Group name“ -Identity „OU container“
The procedure to implement split permissions model for the RegionAdmins security group is described below:
Granting the required permissions for the Service container inside the Region OU
Configuresplitperms -User “yourcompanydomain”\ RegionAdmins” -Identity “OU=…. ,DC=… ”
Similarly we have to grant the required permissions using this procedure for all other regional admins security groups in their respective OU containers, where they will be manage the Exchange recipients.
Add permissions for RegionAdmins – „access recipient update services“ on CN=Exchange Administration Group (FYDIBOHF23SPDLT) and delegate this permission on all child „Exchange Server objects „