Preventing Creation of Archive Mailboxes

On a linked in forum I responded to the following query:

Question:  Does anyone know how to prevent Exch admins from creating archive mailboxes in exch2010 sp1?

Answer: Out of the box the only Management Role that has rights to use the cmdlet "New-Mailbox" with parameter -Archive is "Mail Recipient Creation". Again by default out of the box the Role Groups to whom this Role is assigned are Organization Management and Recipient Management...

I gathered this information using the following command lines:
Get-ManagementRole -cmdlet new-mailbox -CmdletParameters archive
Get-ManagementRoleAssignment -Role "Mail Recipient Creation"

So, in order to accomplish this objective one would need to create a custom Management Role based on the "Mail Recipient Creation" Role and then remove the Archive parameter from the New-Mailbox Management Role Entry.

Sample Command lines to accomplish this are shown below:
New-ManagementRole -Parent "Mail Recipient Creation" -Name "Mail Recipient Creation Without Archive"
Set-ManagementRoleEntry "Mail Recipient Creation Without Archive\New-Mailbox" -Parameters Archive -RemoveParameter

Finally you would most likely then need to create a new management role group for your administrators and assign the "Mail Recipient Creation Without Archive" Role to that group along with any other roles that are necessary for your administrators to use in your environment. That is a good practice in any case since the built in Organization Management Role Group has the ability to delegate any cmdlet to itself (although that could be limited by Active Directory Split Permissions if your organization is in that mode)  The Organization Management Role Group's ability to delegate any cmdlet to itself comes from Role Assignments for every role with the Role Assignment Delegation Type of DelegatingOrgWide as opposed to the delegations of Type "Regular" that are usually made to the other Role Groups. 




