Home > Uncategorized > RBAC: How to allow users to change their Title and Department

RBAC: How to allow users to change their Title and Department

RBAC is a powerful tool, and one of the best things Microsoft implemented in Exchange 2010, It is only version 1 and as with most thing Microsoft version 1 takes a little getting used to 🙂 I think over time as Microsoft gets feedback from customers it will develop RBAC into something even more wonderful but more importantly easy to use and customize.

One of the requests I have seen more and more frequently is the ability to add extra fields in ECP so that a user or users can amend them, sounds straight forward but not always as we are limited to what’s available in the end user roles, however if your clever their are some potential work abounds. Below describes some simple steps that will give the ability for user/users to change the title or department

 

RBAC: How to allow users to change their Title and Department

Option1:

This will allow an end user to amend their Title and Department through PowerShell

In order to allow user to modify these options, you need to create a custom RBAC role out of the Mail Recipients role.

We can determine what role we need to copy by running:

Get-ManagementroleEntry *\set-user -Parameters Department,title

The following creates a new management role called Mail Recipients Custom. For now, this role is exactly the same as the original MailRecipients role.

New-ManagementRole -Name "Mail Recipients Custom" -Parent "Mail Recipients"

clip_image002

To list the roles entries (cmdlets) of New Role:

Get-ManagementRole "Mail Recipients Custom" | fl *RoleEntries*

What we do now is remove all but one Entry from the role. PowerShell won’t let you remove all of the entries and for what we are doing leaving the get-user cmdlet in was a reasonable one to leave there. It is very important to note that if you want to do the set version of a cmdlet you should have the get version of the same cmdlet on the role. It is hard to modify what you can’t see!

Get-managementRoleEntry "Mail Recipients Custom\*" | where { $_.Name –ne "Get-User"} | Remove-ManagementRoleEntry

clip_image004

Now we add back the one set cmdlet that we want with only the parameters that we need.

Add-ManagementRoleEntry "Mail Recipients Custom\Set-User" -Parameters Title,Department

clip_image006

If this is just one user, you can directly assign to the user – usera. Alternatively, use *-RoleGroup and assign this to a group. Make sure set the write scope to Self so the user isn’t making changes for others.

New-ManagementRoleAssignment -Role "Mail Recipients Custom" -User usera -RecipientRelativeWriteScope Self

clip_image008

Enable remote PowerShell for the user

Set-User usera -RemotePowerShellEnabled $true

clip_image010

Connect Remote Exchange Management Shell to an Exchange Server

http://technet.microsoft.com/en-us/library/dd297932.aspx

$cred = Get-Credential

$session = new-pssession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<Server FQDN>/PowerShell/ -Credential $cred

Import-PSSession $session

Get-mailbox

Set-User <User> -Title <Title> -department <department>

Option 2

This will allow an end user to amend other users Title and Department through ECP the think here is that you might want to assign this to someone in HR or a team leader and not to general users as they will be able to change other users Title etc.

In order to allow user to modify these options, you need to create a custom RBAC role out of the Mail Recipients role.

We can determine what role we need to copy by running:

Get-ManagementroleEntry *\set-user -Parameters Department,title

The following creates a new management role called Mail Recipients Custom. For now, this role is exactly the same as the original MailRecipients role

New-ManagementRole -name "Mail Recipients Custom" -Parent "Mail Recipients"

clip_image012

Get-managementRoleEntry "Mail Recipients Custom\*" | where { $_.Name –ne "Set-User"} | Remove-ManagementRoleEntry

clip_image014

Set-ManagementRoleEntry "Mail Recipients Custom\Set-User" -Parameters Identity,Title,Department

clip_image016

Get-managementRoleEntry "Mail Recipients\Get-*" | Add-ManagementRoleEntry -Role "Mail Recipients Custom"

clip_image018

New-ManagementRoleAssignment -name "test" -Role "Mail Recipients Custom" -User e14testuser2

clip_image020

new-managementroleassignment -role "View-Only Recipients" –user e14testuser2

clip_image022

 

In Order to remove what you have just created you can run the below commands.

Remove-managementroleassignment –identity test

Remove-managementroleassignment –identity “view-only recipients-e14testuser2”

Remove-managementrole –identity “Mail recipients custom”

Advertisements
Categories: Uncategorized
  1. March 31, 2010 at 1:53 pm

    Robbie,

    I have gone through your steps, and I have gone through other people’s walkthroughs for RBAC. I am having one major problem. I can make a Role Group with Roles that have a decent amount of permissions (in my case I made a group with the User Options and the View-Only Recipients roles), and I then add my user account to that role group. Now, after reading your instructions, I did exactly what you wrote, and when I run the EMC as my user, all the recipient options have a lock symbol next to them when I try to edit them. If I add my user to the Organization Management group, he immediately is able to edit all the user information for any recipient. What am I missing?

    • blackduke77
      March 31, 2010 at 1:59 pm

      Hi Paul,

      Can you post your commands so I can try in my lab?

      Also my post is really dealing with ECP not EMC which may play a role in this, but send me you steps and I will see if I can help.

      Infact can you try via ECP?

  2. March 31, 2010 at 2:07 pm

    Yes, I will go back through the process to get a cleaned-up version of my commands.

    I checked ECP, and you’re right, I am able to make some changes with ECP. Do you know how I can translate this operation over into EMC? We have different labs where I work, and each lab has its own IT people who will need to manage their people in Exchange. Once I get over this hurdle I can start applying Scopes to limit their organizational reach.

    Thanks!

  3. March 31, 2010 at 2:30 pm

    Ok, I compiled a list from my Powershell session of all the commands I used. It looks like it mirrors your blog post. Hopefully this will be legible in the comments section.

    [PS] C:\Windows\system32>New-ManagementRole -Name “Mail Recipients Custom” -Parent “Mail Recipients”

    Name RoleType
    —- ——–
    Mail Recipients Custom MailRecipients

    [PS] C:\Windows\system32>Get-ManagementRoleEntry “Mail Recipients Custom\*” | where { $_.Name -ne “Set-User”} | Remove-ManagementRoleEntry

    Confirm
    Are you sure you want to perform this action?
    Removing the “(Microsoft.Exchange.Management.PowerShell.E2010) Clear-ActiveSyncDevice -Cancel -Confirm -Debug -DomainController -ErrorAction -ErrorVariable -Identity
    -NotificationEmailAddresses -OutBuffer -OutVariable -Verbose -WarningAction -WarningVariable -WhatIf” management role entry on the “Mail Recipients Custom” management role.
    [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is “Y”): a

    [PS] C:\Windows\system32>Set-ManagementRoleEntry “Mail Recipients Custom\Set-User” -Parameters Identity,Title,Department
    [PS] C:\Windows\system32>Get-ManagementRoleEntry “Mail Recipients Custom\*”

    Name Role Parameters
    —- —- ———-
    Set-User Mail Recipients Custom {Department, Identity, Title}

    [PS] C:\Windows\system32>Get-ManagementRoleEntry “Mail Recipients\Get-*” | Add-ManagementRoleEntry -Role “Mail Recipients Custom”

    [PS] C:\Windows\system32>New-ManagementRoleAssignment -Name “test” -Role “Mail Recipients Custom” -User pb146-2010 -DomainController dc01

    Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName
    —- —- —————- —————- —————- —————–
    test Mail Recipients Custom Brown, Paul –pb146-2010 User Direct

  4. March 31, 2010 at 8:15 pm

    I have done some further testing today, and it seems like the settings take effect for the user in Powershell as well as the ECP. What I really need is for the settings to take effect in the EMC, and this is just not happening.

  5. Scott
    June 13, 2012 at 6:30 pm

    Did anyone ever figure this out?

  6. John
    April 18, 2013 at 10:43 pm

    If you do what he says above, but stop before ManagementRoleAssignment, you can go to ECP and add a New Role Group and add the role that you have created using the above.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: