Wednesday, August 27, 2014

Managing RBAC Roles with RBAC_Manager, with Five easy steps.

We will look into using RBAC Manager R2 rom (CodePlex) to manage our environment. There are several cmdlet’s also available.

Download RBAC manager From this link , unzip the files and execute RBAC_Manager.exe.

Note: RBAC_Manager.exe runs into memory space , it means you do not have to install it. If your environment is “secured” this could be pretty neat news. I still recommend making sure , you are clear with your work place existing policies etc..

image

Now provide required parameters and click ok to connect.

image

You will be seeing Management Roles , listed on the left pane

image

*PS equivalent for what you are seeing would be

#Get all management Role Entries

Get-ManagementRoleEntry "*\*"

After making making up your mind what Management Role you like to use as parent and create new one, simply “right click” and select “New Role From Here”

image

*PS equivalent

If you like to see what cmdlet;s assigned to specific Role entry

Get-ManagementRoleEntry "Active Directory permissions\*"

image

Create new Role from Parent

New-ManagementRole "ZTEK Active Directory Permissions" -Parent "Active Directory Permissions"

image

Note: As far as name convention goes for the Management Roles, make some plans and follow them. Having simple name convention for Management roles and Role Groups will provide more simpler management to your organization.

image

image

Select the Role and get rid of any cmdlet you do not want to associate with this Role, Click Save on the top menu to save the changes.

image

PS Version ( Remove All cmdlet,  but Like ( matches ) the filter )

Get-ManagementRoleEntry “ZTEK Active Directory permissions\*” | Where {$_.name -Like “Get-User”} |  Remove-ManagementRoleEntry -Confirm:$False

Now Click on “Show Role Groups”

image

image

Get-RoleGroup

image

Create Role Group

New-RoleGroup -Name "ZtekZone HelpDesk 1.0"

image

image

here you can select any of the existing roles , custom scope options, it is pretty simple and useful , once you are read click on ok.

image

In this example I will pick up the role we have created earlier

image

Adding member to Role Group

image

 

image

image

Get-RoleGroup | Select-Object name

image

Get-RoleGroup -Identity "ZtekZone Security Tier 2"

image

Get-RoleGroup -Identity "ZtekZone Security Tier 2" | Add-RoleGroupMember -Member c-Aki.Armstrong

to see the list of members

Get-RoleGroup -Identity "ZtekZone Security Tier 2" | Select-Object name,members | ft -AutoSize

image

you can un-check the box to take Ron out of RBAC Role Group. As you already know RBAC groups are kept in the AD root Forest, in the “ Microsoft Exchange Security Groups” Organization container.

image

image

image

As you can see it is fairly simple to manage the RBAC roles and it is related task with RBAC Manager

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

No comments: