Role Based Access Control in Exchange Server

In this article, we are going to look in to Role Based Access Control (RBAC), which is used to control the access in Exchange system.


RBAC Component RelationshipsRole Based Access Control is on the successful permission model that was introduced in Exchange 2010. It is referred as RBAC in short. Unlike the traditional permissions models, RBAC is different, efficient and user friendly. The Legacy versions prior to 2010 had the Access Control List (ACL) for managing the Exchange environment, which was quite tough. Any addition or changes done to this ACL will cause unpredictable and unintended consequences. However RBAC was strong enough to overcome all those challenges and provided a safe platform for even providing granular level permissions.

Management Segments:

RBAC has the capability to provide both broad and granular level permissions. This option is the primary key that allows administrators to provide hassle free permission levels. There are multiple permission segments, they are Super Administrator, Administrator, Specialist and End User. These segments are classified based on the Administration task they perform.

  1. Super Administrators have complete control over the Exchange Environment. They are entitled to perform any modification.
  2. Administrators are the users who perform Level 2 and Level 3 tasks. They might not have all of the permissions.
  3. Specialists are the representatives who perform Level 1 tasks such as recipient management, etc. They have very limited permissions and can only edit the basic properties of AD objects such as user mailbox, Distribution lists, contacts etc.,
  4. End User is a new permission level that has been introduced. You might wonder why end user should have admin privileges and this option enables the end user to perform some basic administrative task on their mailbox itself. Some users would have been assigned as the manager of a DL, using this option they will be entitled to add or remove users from that DLs.

All the above mentioned options are achieved through Management Role Groups.

Management Roles & Role Groups:

Management Role Groups are the Universal security groups to allow permissions to the users. These are just security groups. There is a special component called Management Roles, these Management Roles has the permission definitions. These roles will be added to the Role Groups. In simple terms, Role Groups holds all the necessary roles. So when a user is added to the Role Group he will inherit all the admin permission through the Roles in that Group. Roles can also be added directly to users, but that will be difficult to manage, hence Microsoft brought in the concept of Role Groups.Management Roles And Role Groups

By Default Exchange has 67 Admin Roles and 12 Admin Role Groups. The highest privilege goes to the “Organizational Management” Role Group, this group consists of 65 Roles. There are two roles that will not be assigned to any group initially. They are “Legal Hold” and “Mailbox Search”, these 2 roles are used for the purpose of compliance and to perform compliance level administration. These two roles should be added to a particular role group or a new role group should be created and added. Only a member of “Organization management” group can add these two roles.


Custom Role Groups and Roles can also be created as per our requirement. There is a feature called “MyBaseOption” which describes all the permissions inside a Role. We can use this to create custom Roles and we can assign it to a user directly. Even for recovering Exchange database requires some permission, however if we need to recover the data from OST we can do so by using OST recovery option without any special permission.

Author Introduction:

Sophia Mao is a data recovery expert in DataNumen, Inc., which is the world leader in data recovery technologies, including repair pst data error and word recovery software products. For more information visit

Leave a Reply

Your email address will not be published. Required fields are marked *