Ilse Van Criekinge TSP Core UC Microsoft BeLux Session Code: UNC316 Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring.
Download ReportTranscript Ilse Van Criekinge TSP Core UC Microsoft BeLux Session Code: UNC316 Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring.
Ilse Van Criekinge TSP Core UC Microsoft BeLux Session Code: UNC316 Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring Exchange 2010 Investments Simplify Administration The annual cost of helpdesk support staff for e-mail systems with 7,500 mailboxes is approximately $20/mailbox. This cost goes up the smaller the organization. (“Email Support Staff Requirements and Costs: A Survey of 136 Organizations”, Ferris Research, June 2008). Empower Specialist Users to Perform Specific Tasks with Rolebased Administration Compliance Officer - Conduct Mailbox Searches for Legal Discovery HR Officer - Update Employee Info in Company Directory Lower Support Costs Through New User Self-Service Options Track Status of sent messages Create and Manage Distribution Lists Exchange 2010 Management What's New? New Exchange Management Console (EMC) features Exchange Control Panel (ECP) New and simplified web based management console Targeted for end users, hosted tenants, and specialists Role Based Access Control (RBAC) New authorization model Easy to delegate and customize All Exchange management clients (EMS, EMC, ECP) use RBAC Remote PowerShell Manage Exchange remotely using PowerShell v2.0 Note: No more local PowerShell, it's all remote in Exchange 2010 Monitoring Exchange 2010 Management Supported OS platforms All of Exchange 2010 is 64-bit only Admin-tools also require 64 bit OS Supported OS platforms for Admin/Management Tools Vista x64 SP1 (*may be SP2) W2k8 x64 SP2 Windows7 x64 Client and W2k8 R2 x64 Remote PowerShell management Does not require Exchange binaries at the client Supported client OS platforms Vista (x86 or x64) W2k8 (x86 or x64) W2k8 R2 (x86 or x64) or Win7 (x86 or x64) W2k3 (x86 or x64) XP (x86 or x64) Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring Exchange Management Console (EMC) Improvements Built on Remote PowerShell and RBAC Multiple Forest Support Cross-premises Exchange 2010 Management Including Mailbox Moves Recipient Bulk Edit PowerShell Command Logging New feature support For example: High Availability Exchange Management Console Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring Exchange Control Panel (ECP) What is it? A browser based Management client for end users, administrators, and specialists Accessible directly via URL, OWA & Outlook 2010 Deployed as a part of the Client Access Server role Simplified user experience for common management tasks RBAC aware ECP Architecture Overview High Level View AJAX-based Shares some code with OWA, but two separate applications Deployed on Client Access Server ECP ASP.Net RBAC PowerShell Authentication Windows Integrated, Basic, Forms Based Browser support - Same as OWA IE Firefox Safari Client Access Server Exchange Control Panel Who will use it? Specialists and administrators Administrators can delegate to specialists e.g. Help Desk Operators, Department Administrator, and eDiscovery Administrators End Users Comprehensive self service tools for End Users Hosted Customers Tenant Administrators and Tenant End Users Exchange Control Panel: User View Secondary Navigation Primary Navigation Exchange Control Panel: Admin View UI Scope Control Secondary Navigation Primary Navigation Exchange Control Panel: User Self-Service features Lower Support Costs Through New User Self-Service Options Distribution Group Management • Join existing groups • Create and manage groups Exchange Control Panel: User Self-Service features Lower Support Costs Through New User Self-Service Options Message Tracking • Track message delivery • Can be accessed from messages in OWA Exchange Control Panel: User Self-Service features Lower Support Costs Through New User Self-Service Options Edit own details • Modify Address List Contact details Exchange Control Panel: Administration features Empower Specialist Users Specialist Administration • Compliance Officers: Multi-mailbox search • HR: Manage Users and Groups Exchange Control Panel: Administration features Empower Specialist Users Manage other users • Help Desk can manage user’s OWA options • Can make same changes as targeted user Exchange Control Panel: Administration features Empower Specialist Users Manage Permissions • Manage roles • Manage User self-service policies Exchange Control Panel Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring RBAC in Exchange 2010 RBAC has replaced the permission model used in Exchange 2007 Your “role” is defined by “what you do” Define precise or broad roles and assignments based on the tasks that need to be performed Includes self administration Used by EMC, EMS and ECP RBAC Management Role Assignment Who can do What… and Where? Role Assignment Binds a Role and Scope to an Role Holder (Assignee) Role Holder Higher Level Job Function Role Group Administrators / Specialists Binding Layer Task-based permissions Role Entry Command: Parameters Role Entry Command: Command: Parameters RoleParameters Entry Role Assignment Role Role Assignment Role Role Assignment Individual Permissions Role Command: Parameters Command: Parameters Command: Parameters Command: Parameters Command: Parameters Command: Parameters Role Entry Command: Parameters Role Entry Command: Parameters Command: Parameters Command: Parameters Command: Parameters Command: Parameters Role Entry Recipient Scope Configuration Scope Who? Where? Command: Parameters Command: Parameters Command: Parameters What? Role Assignment Role membership managed through ECP and Exchange Management Shell Built-In Role Groups • Organization Management • Public Folder Management • Recipient Management • View-Only Organization Management • UM Management • Help Desk • Records Management • Discovery Management • Server Management • Delegated Setup • Hygiene Management RBAC Role Assignment Policies New mailboxes are assigned the default assignment policy A mailbox can have only one role assignment policy Role Holder Higher Level Job Function Binding Layer Task-based permissions Scope = “Self” Role Assignment Policy Role Assignment Role Role Assignment Role Scope = “Self” Who? Where? What? Customizing Permissions Role assignment policies Some customization supported through ECP Changes effect entire user segment Assignments can be additive or subtractive Add/RemoveManagementRoleAssignment Only applies to end user roles Customizing Permissions Role groups • Simplest method: Update role groups • Change effects all members • Assignments can be additive or subtractive Add/Remove-ManagementRoleAssignment RBAC Role Delegation Role membership is not a right to delegate RoleAssignment Delegation Special kind of role assignment Delegation does not grant role permissions RoleGroup Delegation Controlled through RoleGroup ownership ManagedBy parameter similar to DGs (Multi-Valued) Ownership does not grant RoleGroup permissions RBAC Permissions Reporting Get-ManagementRoleAssignment • Effective users by role/scope/group • Effective permissions to a writable object Role Based Access Control Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring Remote PowerShell Allows Role-Based Access Control model Restricted PSSession allows RBAC to hide cmdlets and parameters Client / Server separation Local Shell and Remote Shell Remote PowerShell is always used to connect “remotely” to localhost Enables firewall and cross-forest scenarios “No Binaries” scenarios Exchange-cmdlet management from a client machine which does not have Exchange Management Tools (Exchange binaries) installed Remote PowerShell How does it work? > New-PSSession –ConnectionUri http://server.fqdn.com/PowerShell/ > New-Mailbox –Name Robin [Robin Mailbox Object in Pipeline] PSv2 Client Runspace IIS PSv2 RBAC Server Runspace WSMan + RBAC stack: Authorization Ilse Ilse: Role Assignment New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Active Directory IIS: Authentication Cmdlets Available in Runspace: New-PSSession Remote Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Cmdlets Available in Runspace: New-Mailbox -Name Get-Mailbox Set-Mailbox -Name Exchange Server Remote PowerShell and Files Importing and exporting files changed Limitations on importing files 500MB for each cmdlet that’s run 75MB for each object that’s passed to a cmdlet Can be altered Remote PowerShell Content Introduction Exchange Management Console (EMC) Exchange Control Panel (ECP) Role Based Access Control (RBAC) Remote PowerShell Monitoring Monitoring and Reporting Greatly reduced alert “noise” Uses Operations Manager health model to hide “symptom alerts” and leave “root cause alerts” Only raises alerts for lowest level failure within 90second window Faster problem resolution Reporting Service Level Agreement (SLA) target support Mail flow statistics based on message tracking logs Distribution group usage Sample Reports Summary Exchange Management Console New Features, Bulk Management, and PowerShell convergence Role Based Access Control RBAC has replaced the permission model used in Exchange 2007 Enables the definition of broad or precise roles and assignments, based on the actual roles administrators perform Exchange Control Panel Provides a new way to administer a subsets of Exchange features Provides a great self provisioning portal Remote Powershell Uses familiar Exchange cmdlets Allows administration without the Exchange management tools Provides a firewall friendly management access Related Content UNC306 Information Protection and Control in Microsoft Exchange Server 2010 Ilse Van Criekinge 11/11/2009 10:45 - 12:00 UNC201 Introducing Microsoft Exchange Server 2010 Adam Glick, Astrid McClean 11/10/2009 09:00 - 10:15 UNC202 Discover the New OWA: Outlook Web App Adam Glick 11/10/2009 13:30 - 14:45 UNC14-HOL Microsoft Exchange Server 2010 Setup and Deployment UNC Track Call to Action! Learn More! Related Content at TechEd on “Related Content” Slide Attend in-person or consume post-event at TechEd Online Check out learning/training resources at Microsoft TechNet Exchange Server and Office Communications Server Check out Exchange Server 2010 at Virtual Launch Experience (VLE) at thenewefficiency.com Try It Out! Download the Exchange Server 2010 Trial Take a simple Web-based test drive of UC solutions through the 60-Day Virtual Experience Unified Communications Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.