Locking Down Exchange 2010 Control Panel (ECP) Options

Like This Blog 2

Added by Mike Pfeiffer April 12, 2012

The Exchange Control Panel (ECP) allows end-users to perform many self-service tasks, such as tracking messages, managing groups, and creating inbox rules. Of course, just like other GUI based tools in the Exchange world today, the ECP is driven in the background by Exchange Management Shell EMS cmdlets. Just as it is for administrations, access to these cmdlets are controlled by RBAC roles.

Sometimes the out-of-box RBAC roles granted to end-users for ECP self-service are too broad. For example, when a user logs into ECP, they have the ability to modify some of their account information. This includes their address, city, state, and each of their contact numbers which includes work, home, and mobile phones.

Here's a screen shot of what I am talking about. I got here by clicking on "Edit" on the Account Options screen:

Notice that fields like Last Name, DisplayName, and E-mail Address are all greyed out, and Work Phone, Fax, and Home Phone are not. This is the default configuration, but it might not meet every organization's needs.

Imagine that your organization does not want end-users changing their work number. This would make sense due to the fact that the IT or Telecom team probably makes this decision for the user. We'll use this as basis for our example on how to lock down ECP options.

The RBAC role that allows an end-user to modify their contact information is one of the user roles assigned through a role assignment policy. By default, every user receives this role assignment from the Default Role Assignment Policy which is configurable via ECP:

Now, we don't want to uncheck this, as that would restrict the user from modifying any contact information at all. We stil want them to be able to modify their personal phone numbers, just not their work numbers. In this case, we'll need to create a custom version of the MyContactInformation role that will accomplish this.

The actual cmdlet assigned via the MyContactInformation role that allows a user to change their work phone number is the Set-User cmdlet. More specifically, the Set-User cmdlet with the -Phone parameter is what makes this happen.

Let's start by firing up the EMS (I'm logged in with an account in the Organization Management group) and executing the following command. This will create a "sub" role of the existing MyContactInformation role:

Next we'll capture the existing collection of Set-User parameters assigned by this role into a variable called $params:

Next we'll filter out the "Phone" parameter and save the remaining parameters back to the existing $params variable:

Now we can simply set back the $params collection as the acceptable parameters to the Set-User cmdlet:

The last step is to make sure we actually assign our custom MyContactInfo role to the user. Since the existing MyContactInformation role is too broad, we'll remove that from the Default Role Assignment policy:

Finally, we'll re-assign the new custom MyContactInfo role to the Default Role Assignment Policy, which is assigned to all mailboxes by default:

After logging back into ECP as an end-user, you can see that when clicking on "Edit", under the Account Options screen, that the Work Phone field is indeed disabled:

Although tricky, sometimes this level of customization is required. Even though we looked at a basic example here, you can use this approach when you need to remove a cmdlet or a specific parameter from one of the end-user roles.

Enjoy!

Mike Pfeiffer – Microsoft MVP
Director of Unified Communications
Interface Technical Training