Locking Down Exchange 2010 Control Panel (ECP) Options

Home > Blogs > Exchange Server > Locking Down Exchange 2010 Control Panel (ECP) Options

Locking Down Exchange 2010 Control Panel (ECP) Options

Like This Blog 2 Mike Pfeiffer
Added by April 12, 2012

The Exchange Control Panel (ECP) allows end-users to perform many self-service tasks, such as tracking messages, managing groups, and creating inbox rules. Of course, just like other GUI based tools in the Exchange world today, the ECP is driven in the background by Exchange Management Shell EMS cmdlets. Just as it is for administrations, access to these cmdlets are controlled by RBAC roles.

Sometimes the out-of-box RBAC roles granted to end-users for ECP self-service are too broad. For example, when a user logs into ECP, they have the ability to modify some of their account information. This includes their address, city, state, and each of their contact numbers which includes work, home, and mobile phones.

Here's a screen shot of what I am talking about. I got here by clicking on "Edit" on the Account Options screen:

Notice that fields like Last Name, DisplayName, and E-mail Address are all greyed out, and Work Phone, Fax, and Home Phone are not. This is the default configuration, but it might not meet every organization's needs.

Imagine that your organization does not want end-users changing their work number. This would make sense due to the fact that the IT or Telecom team probably makes this decision for the user. We'll use this as basis for our example on how to lock down ECP options.

The RBAC role that allows an end-user to modify their contact information is one of the user roles assigned through a role assignment policy. By default, every user receives this role assignment from the Default Role Assignment Policy which is configurable via ECP:

Now, we don't want to uncheck this, as that would restrict the user from modifying any contact information at all. We stil want them to be able to modify their personal phone numbers, just not their work numbers. In this case, we'll need to create a custom version of the MyContactInformation role that will accomplish this.

The actual cmdlet assigned via the MyContactInformation role that allows a user to change their work phone number is the Set-User cmdlet. More specifically, the Set-User cmdlet with the -Phone parameter is what makes this happen.

Let's start by firing up the EMS (I'm logged in with an account in the Organization Management group) and executing the following command. This will create a "sub" role of the existing MyContactInformation role:

New-ManagementRole -Name MyContactInfo -Parent MyContactInformation

Next we'll capture the existing collection of Set-User parameters assigned by this role into a variable called $params:

$params = (Get-ManagementRoleEntry 'MyContactInfo\Set-User').parameters

Next we'll filter out the "Phone" parameter and save the remaining parameters back to the existing $params variable:

$params = $params | Where-Object {$_ -ne 'Phone'}

Now we can simply set back the $params collection as the acceptable parameters to the Set-User cmdlet:

Set-ManagementRoleEntry 'MyContactInfo\Set-User' -Parameters $params

The last step is to make sure we actually assign our custom MyContactInfo role to the user. Since the existing MyContactInformation role is too broad, we'll remove that from the Default Role Assignment policy:

Remove-ManagementRoleAssignment -Identity 'MyContactInformation-Default Role Assignment Policy' -Confirm:$false

Finally, we'll re-assign the new custom MyContactInfo role to the Default Role Assignment Policy, which is assigned to all mailboxes by default:

New-ManagementRoleAssignment -Role MyContactInfo -Policy 'Default Role Assignment Policy'

After logging back into ECP as an end-user, you can see that when clicking on "Edit", under the Account Options screen, that the Work Phone field is indeed disabled:

Although tricky, sometimes this level of customization is required. Even though we looked at a basic example here, you can use this approach when you need to remove a cmdlet or a specific parameter from one of the end-user roles.


Mike Pfeiffer – Microsoft MVP
Director of Unified Communications
Interface Technical Training

Videos You May Like

Cable Testers and How to Use them in Network Environments

0 668 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments

Configuring Windows Mobility Center and How to Turn it On and Off

1 1411 1

Video transcription Steve Fullmer: In our Windows training courses, we often share information about the Windows 8.1 Mobility Center. Mobility Center was introduced for mobile and laptop devices in Windows 7. It’s present and somewhat enhanced in Windows 8. Since we don’t have mobile devices in our classrooms, I decided to take a little bit … Continue reading Configuring Windows Mobility Center and How to Turn it On and Off

How to create a Cisco IOS Banner – Login and MOTD Message of the Day

0 4240 4

In this video, Cisco CCNA instructor Mark Jacob shows how to create a Login and Message of the Day (MOTD) banners in Cisco IOS. The Banner is an interesting feature of the Cisco IOS. You could probably get by without it, but in a commercial environment you want to have it.

Write a Comment

See what people are saying...

    Share your thoughts...

    Please fill out the comment form below to post a reply.