by Phoummala Schmitt

As mobile devices become the norm in the business world Exchange administrators still need to protect corporate data and email. Using Exchange’s built-in Active sync polices, administrators can control and limit access to corporate email. Even though Active Sync has been allowed, Exchange administrators may still feel the need to quarantine certain devices from using Active Sync to sync email on their mobile devices. This is a nice feature to have, which I have used in my previous roles as an Exchange administrator, however as I have found first hand this can be a management nightmare if the role of releasing the devices has been delegated to a non-exchange administrator.

In enterprises small or large, often times someone other than the exchange administrator is setting up devices, such as a Phone technician or help desk technician. The default help desk role group allows you to see what devices have been quarantined and activate the devices, but it doesn’t actually give you any rights to release. The only management role with these permissions is the Organization Client Access which is contained in the Exchange Organizational Management Role group. This is where the nightmare comes into play because now every time someone wants a device released from the quarantine only the exchange administrator can perform the duty. In a small organization this may not be a big deal but med-large organizations this task can become a pain to deal with.

Giving the keys to the kingdom to satisfy the requirement to release devices would be silly because that is way more access to Exchange than is needed. To delegate the task of releasing quarantined active sync devices you must create a custom management role. This custom management role can then be added to the any of the existing role group. The custom management role will allow that phone technician to only perform the functions that you have allowed them.


Follow the steps below to create a custom management role:

Note that you can only create custom management roles using the Exchange Management Shell

1.  Open the Exchange Management Shell. You will need to create a new management role that is based off the “Organization Client Access”. This is used as the parent role for the creation of this management role that you will be creating, essentially it’s like a template for the role. Type the following:

New-ManagementRole -Name “Your New Role” -Parent “Organization Client Access”

2.  The Organization Client Access role grants a lot of access which is not needed for this particular ActiveSync function so you want to make sure that it’. To limit the role to only a particular set of commands we need to remove the role entries except for Set-CASMailbox from the role “IBC ActiveSync”.

Get-ManagementRoleEntry “Your New Role *” | ? {$_.Name –ne “Set-CASMailbox”} | Remove-ManagementRoleEntry


Now that the new management role has been completed this role can be added to any of your existing Management role groups. You can use the ECP (Exchange Control Panel) to add the management role into a role group.

  1. Login into the ECP
  2. Go to roles & auditing, locate the Management group you want to add this to and select details. You are then displayed the details.
  3. Add your custom management role that you just created under the “Role” section
  4. Once completed Click Save.


This newly created custom management role will allow that phone technician to only perform the functions that you have allowed them without giving them organization management rights into Exchange.