Locking Down Exchange 2010 Control Panel (ECP) Options
Locking Down Exchange 2010 Control Panel (ECP) Options
The Exchange Control Panel (ECP) allows end-users to perform many self-service tasks, such as tracking messages, managing groups, and creating inbox rules. Of course, just like other GUI based tools in the Exchange world today, the ECP is driven in the background by Exchange Management Shell EMS cmdlets. Just as it is for administrations, access to these cmdlets are controlled by RBAC roles.
Sometimes the out-of-box RBAC roles granted to end-users for ECP self-service are too broad. For example, when a user logs into ECP, they have the ability to modify some of their account information. This includes their address, city, state, and each of their contact numbers which includes work, home, and mobile phones.
Here's a screen shot of what I am talking about. I got here by clicking on "Edit" on the Account Options screen:
Notice that fields like Last Name, DisplayName, and E-mail Address are all greyed out, and Work Phone, Fax, and Home Phone are not. This is the default configuration, but it might not meet every organization's needs.
Imagine that your organization does not want end-users changing their work number. This would make sense due to the fact that the IT or Telecom team probably makes this decision for the user. We'll use this as basis for our example on how to lock down ECP options.
The RBAC role that allows an end-user to modify their contact information is one of the user roles assigned through a role assignment policy. By default, every user receives this role assignment from the Default Role Assignment Policy which is configurable via ECP:
Now, we don't want to uncheck this, as that would restrict the user from modifying any contact information at all. We stil want them to be able to modify their personal phone numbers, just not their work numbers. In this case, we'll need to create a custom version of the MyContactInformation role that will accomplish this.
The actual cmdlet assigned via the MyContactInformation role that allows a user to change their work phone number is the Set-User cmdlet. More specifically, the Set-User cmdlet with the -Phone parameter is what makes this happen.
Let's start by firing up the EMS (I'm logged in with an account in the Organization Management group) and executing the following command. This will create a "sub" role of the existing MyContactInformation role:
Next we'll capture the existing collection of Set-User parameters assigned by this role into a variable called $params:
Next we'll filter out the "Phone" parameter and save the remaining parameters back to the existing $params variable:
Now we can simply set back the $params collection as the acceptable parameters to the Set-User cmdlet:
The last step is to make sure we actually assign our custom MyContactInfo role to the user. Since the existing MyContactInformation role is too broad, we'll remove that from the Default Role Assignment policy:
Finally, we'll re-assign the new custom MyContactInfo role to the Default Role Assignment Policy, which is assigned to all mailboxes by default:
After logging back into ECP as an end-user, you can see that when clicking on "Edit", under the Account Options screen, that the Work Phone field is indeed disabled:
Although tricky, sometimes this level of customization is required. Even though we looked at a basic example here, you can use this approach when you need to remove a cmdlet or a specific parameter from one of the end-user roles.
Enjoy!
Mike Pfeiffer – Microsoft MVP
Director of Unified Communications
Interface Technical Training
You May Also Like
ECP, Exchange 2010, Exchange Control Panel, ManagementRole, RBAC
Agile Methodology in Project Management
0 163 0In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management
Creating Users and Managing Passwords in Microsoft Office 365
0 706 3In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365. For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365
Subnetting a TCP/IP Network using the Magic Box Method
0 1804 5See our class schedule for complete Course Schedule Training. Classes are held in Phoenix, AZ and can be attended online from anywhere in the world with RemoteLive™. Instructor: Rick Trader Video Transcription: One of the things that we might have to do in our corporate network is to take a class of IP addresses and then subnet that into … Continue reading Subnetting a TCP/IP Network using the Magic Box Method
See what people are saying...