Create the management account

This chapter describes how to create the management account which allows a connection to the Exchange server remotely by using PowerShell, with access only to the given cmdlets.

Prerequisites

To be able to connect to the exchange server remotely by using PowerShell, the account must have:

  • Exchange 2013 / 2016 / O365 (online)

  • PowerShell 2.0 / 3.0 with Exchange Management Shell plugin

  • Some administrative rights in Exchange

To connect to Exchange online you should also install Windows Management Framework 3.0 or the Windows Management Framework 4.0.

Create and organize the management roles

The custom management roles are created with Role Based Access Control (RBAC) and the roles are organized in role groups. When a user is added to a role group made in this guide, the user can connect to the Exchange server using PowerShell.

  1. To create a user:

    1. Create a service account in ActiveDirectory.

      Note

      In this guide, the user is named “SnowUser”. Replace “SnowUser” with your preferred name.

    2. To enable remote PowerShell logon for the user, start PowerShell and type: 

      Set-User SnowUser -RemotePowerShellEnabled $True

    3. To set execution policy on the application server that runs Cloud Extender and to enable scripts to be run on the application server, type:

      Set-ExecutionPolicy RemoteSigned

  2. To create a management role called "SnowMGMT", start the Exchange Management Shell and type New-ManagementRole SnowMGMT –Parent "User Options".

    Note

    The management role is based on the parent role “User Options”, which gives the role access to some of the “User Option” cmdlets.

  3. To create a second management role, type:

    New-ManagementRole SnowMGMT1 –Parent "Organization Client Access"

  4. To group the management roles, type:

    New-RoleGroup -Name RemoteSnow -Roles "SnowMGMT", "SnowMGMT1" -Members "SnowUser"

  5. To verify the functionality of the account and the connection:

    Note

    Authentication and encryption methods may vary depending on configuration.

    1. Open PowerShell from any computer that can connect to the Exchange server, and then type:

      $so = New-PSSessionOption –SkipCNCheck –SkipCACheck –SkipRevocationCheck

    2. To create the session,type:

      $session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://FQDN/powershell/ -Credential $UserCredential –Authentication Basic – AllowRedirection –SessionOption $so

      Note

      Replace <FQDN> with the name of the Exchange server or virtual directory.

    3. To import the created session, type:

      Import-PSSession $session

    4. To verify the connection, type for example:

      Get-CASMailbox –ResultSize 10

      You should now receive 10 users from the exchange server.

    5. To end the session, type :

      Remove-PSSession $Session