Introduction Role Based Access Control (RBAC) is the new permissions model in Microsoft Exchange Server 2010. With RBAC, you don't need to modify and manage access control lists (ACLs), which was...
Published Nov 17, 2009
Version 1.0
Blog Post
Hi Matt, your recommendation to put users directly into the security group goes against everything Windows has taught us for many years. Windows security model uses the ACL model where each object stores security information about access to itself. Unix/Linux has a model where each object gets given a group and users are members of groups to gain access to objects.
Does this indicate that ACLs will be phased out in the future? Generally well designed AD structures contain role based groups anyway, but these groups are based on the users job rather than access rights - in huge companies this may map to the Exchange roles directly, but generally we create a "user admin" group and all user admin employees should go in this group. Would it be feasible to create the "user admin" group as an Exchange RBAC and then use this for delegation in the rest of the domain? If this is the case then this looks perfect, but you did mention flipping bits to change the group type. Does this reflect in AD as a separate group type?
Sorry not had a chance to test any of this yet - your article will help greatly with that so thanks very much.
Cheers
Dave
Does this indicate that ACLs will be phased out in the future? Generally well designed AD structures contain role based groups anyway, but these groups are based on the users job rather than access rights - in huge companies this may map to the Exchange roles directly, but generally we create a "user admin" group and all user admin employees should go in this group. Would it be feasible to create the "user admin" group as an Exchange RBAC and then use this for delegation in the rest of the domain? If this is the case then this looks perfect, but you did mention flipping bits to change the group type. Does this reflect in AD as a separate group type?
Sorry not had a chance to test any of this yet - your article will help greatly with that so thanks very much.
Cheers
Dave