JEA and Exchange

Tagged: 

This topic contains 7 replies, has 5 voices, and was last updated by  John Mello 6 months ago.

  • Author
    Posts
  • #66507

    Manuel Berfelde
    Participant

    Hi guys and gals,

    I am trying to build a JEA-endpoint for a junior-admin on an Exchange Server 2013 to give him limited access to Exchange-cmdlets (e.g. get-recipient). Unfortunately I don't find information on how to import a SnapIn into the JEA session.
    Can some please help?

    Edit: To be more precise: I need to import the SnapIn and restrict access to certain cmdlets.

    Thanks!

  • #66510

    Albert van Boerum
    Participant

    With import-module you can specify what cmdlets are imported.

    I do not know if this is possible with a SnapIn

  • #66558

    Manuel Berfelde
    Participant

    Is this really not possible, or am I asking the wrong question?

  • #66576

    Manuel Berfelde
    Participant

    Guess I will use RBAC...

  • #66639

    Monte Hazboun
    Participant

    Hi Manuel,

    Here are some things I would try:

    1) Write a small PS1 file that imports the snapin and then point to that script on the "ScriptstoProcess" line in your role capabilities file.
    2) Write a module with a function that wraps the Get-Recipient CMDlet with the Add-PSSnapin CMDlet. Expose the module in your role capabilities file under ModulesToImport.
    3) Expose the Add-PSSnapin CMDlet with a parameter filter to only allow the appropriate snapin name to be added. Have the user add the snapin themselves. (see example below)

    VisibleCmdlets = @{ 
        Name = 'Add-PSSnapin'
        Parameters = @{ Name = 'Name'; ValidateSet = 'SnapinName' }
        }, 
    

    I believe one of those should do the trick, though I've never had to import a snapin on a JEA endpoint.

  • #66678

    Peter Jurgens
    Participant

    JEA requires WMF5 and since WMF5 is not supported with Exchange 2013 I wouldn't suggest this route at all. https://msdn.microsoft.com/en-us/powershell/wmf/5.0/productincompat?f=255&MSPPError=-2147217396

    RBAC is quite granular, and you'll need to set the users up with correct RBAC roles/role groups to be able to administer Exchange anyway... Is there some specific reason you don't seem keen on using RBAC?

    • #66708

      Manuel Berfelde
      Participant

      Not really, no.
      It was more curiosity than necessity.

  • #66786

    John Mello
    Participant

    You should not be loading the PSSNapin directly since that is not supported by MS (Directly Loading Exchange 2010 or 2013 SnapIn Is Not Supported). While it works, you will run into odd errors and results on some cmdlets. You also Bypass RBAC completely when doing so, which defeats the purpose of trying to limit cmdlet access. In this case RBAC is going to be what you want to use in order to reduce the cmdelt set for the session.

You must be logged in to reply to this topic.