Locking Down Exchange 2010 Control Panel (ECP) Options

Home > Blogs > Exchange Server > Locking Down Exchange 2010 Control Panel (ECP) Options

Locking Down Exchange 2010 Control Panel (ECP) Options

Like This Blog 2 Mike Pfeiffer
Added by April 12, 2012

The Exchange Control Panel (ECP) allows end-users to perform many self-service tasks, such as tracking messages, managing groups, and creating inbox rules. Of course, just like other GUI based tools in the Exchange world today, the ECP is driven in the background by Exchange Management Shell EMS cmdlets. Just as it is for administrations, access to these cmdlets are controlled by RBAC roles.

Sometimes the out-of-box RBAC roles granted to end-users for ECP self-service are too broad. For example, when a user logs into ECP, they have the ability to modify some of their account information. This includes their address, city, state, and each of their contact numbers which includes work, home, and mobile phones.

Here's a screen shot of what I am talking about. I got here by clicking on "Edit" on the Account Options screen:

Notice that fields like Last Name, DisplayName, and E-mail Address are all greyed out, and Work Phone, Fax, and Home Phone are not. This is the default configuration, but it might not meet every organization's needs.

Imagine that your organization does not want end-users changing their work number. This would make sense due to the fact that the IT or Telecom team probably makes this decision for the user. We'll use this as basis for our example on how to lock down ECP options.

The RBAC role that allows an end-user to modify their contact information is one of the user roles assigned through a role assignment policy. By default, every user receives this role assignment from the Default Role Assignment Policy which is configurable via ECP:

Now, we don't want to uncheck this, as that would restrict the user from modifying any contact information at all. We stil want them to be able to modify their personal phone numbers, just not their work numbers. In this case, we'll need to create a custom version of the MyContactInformation role that will accomplish this.

The actual cmdlet assigned via the MyContactInformation role that allows a user to change their work phone number is the Set-User cmdlet. More specifically, the Set-User cmdlet with the -Phone parameter is what makes this happen.

Let's start by firing up the EMS (I'm logged in with an account in the Organization Management group) and executing the following command. This will create a "sub" role of the existing MyContactInformation role:

New-ManagementRole -Name MyContactInfo -Parent MyContactInformation

Next we'll capture the existing collection of Set-User parameters assigned by this role into a variable called $params:

$params = (Get-ManagementRoleEntry 'MyContactInfo\Set-User').parameters

Next we'll filter out the "Phone" parameter and save the remaining parameters back to the existing $params variable:

$params = $params | Where-Object {$_ -ne 'Phone'}

Now we can simply set back the $params collection as the acceptable parameters to the Set-User cmdlet:

Set-ManagementRoleEntry 'MyContactInfo\Set-User' -Parameters $params

The last step is to make sure we actually assign our custom MyContactInfo role to the user. Since the existing MyContactInformation role is too broad, we'll remove that from the Default Role Assignment policy:

Remove-ManagementRoleAssignment -Identity 'MyContactInformation-Default Role Assignment Policy' -Confirm:$false

Finally, we'll re-assign the new custom MyContactInfo role to the Default Role Assignment Policy, which is assigned to all mailboxes by default:

New-ManagementRoleAssignment -Role MyContactInfo -Policy 'Default Role Assignment Policy'

After logging back into ECP as an end-user, you can see that when clicking on "Edit", under the Account Options screen, that the Work Phone field is indeed disabled:

Although tricky, sometimes this level of customization is required. Even though we looked at a basic example here, you can use this approach when you need to remove a cmdlet or a specific parameter from one of the end-user roles.


Mike Pfeiffer – Microsoft MVP
Director of Unified Communications
Interface Technical Training

Videos You May Like

Agile Methodology in Project Management

0 185 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

An Overview of Office 365 – Administration Portal and Admin Center

0 960 3

This is part 1 of our 5-part Office 365 free training course. In this Office 365 training video, instructor Spike Xavier introduces some of the most popular services found in Microsoft Office 365 including the Admin Portal and Admin Center. For instructor-led Office 365 training classes, see our course schedule: Spike Xavier SharePoint Instructor – … Continue reading An Overview of Office 365 – Administration Portal and Admin Center

Creating Users and Managing Passwords in Microsoft Office 365

0 809 5

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

Write a Comment

See what people are saying...

    Share your thoughts...

    Please fill out the comment form below to post a reply.