{"id":762,"date":"2015-10-29T17:56:26","date_gmt":"2015-10-29T15:56:26","guid":{"rendered":"http:\/\/dety.net.ua\/?p=762"},"modified":"2015-10-29T17:56:26","modified_gmt":"2015-10-29T15:56:26","slug":"exchange-2010-allow-users-to-manage-contacts","status":"publish","type":"post","link":"https:\/\/dety.net.ua\/?p=762","title":{"rendered":"Exchange 2010 + allow users to manage contacts"},"content":{"rendered":"<h1 align=\"justify\">Copy-pasted from: <a href=\"http:\/\/blogs.technet.com\/b\/rmilne\/archive\/2013\/08\/07\/creating-rbac-role-to-delegate-contact-management.aspx\" target=\"_blank\">http:\/\/blogs.technet.com\/b\/rmilne\/archive\/2013\/08\/07\/creating-rbac-role-to-delegate-contact-management.aspx<\/a><\/h1>\n<h1 align=\"justify\">Building Blocks<\/h1>\n<p align=\"justify\">We will need to permit:<\/p>\n<ul>\n<li>\n<div align=\"justify\">Management of Distribution Groups in Active Directory<\/div>\n<\/li>\n<li>\n<div align=\"justify\">Creation and management of Mail Enabled Contacts in Active Directory<\/div>\n<\/li>\n<li>\n<div align=\"justify\">Management toolset to manage the above<\/div>\n<\/li>\n<\/ul>\n<h1 align=\"justify\">Management of Distribution Groups<\/h1>\n<p align=\"justify\">Exchange 2010 does not allow a user to manage groups that they own by default.\u00a0 All of the necessary plumbing is present, you just have to enable the feature.\u00a0 This is explained in detail <a href=\"http:\/\/blogs.technet.com\/b\/exchange\/archive\/2009\/11\/18\/how-to-manage-groups-that-i-already-own-in-exchange-2010.aspx\" target=\"_blank\">here<\/a>.\u00a0 Couple of things to note:<\/p>\n<ul>\n<li>\n<div align=\"justify\">Groups cannot manage groups in Exchange 2010, this feature has returned in <a href=\"http:\/\/blogs.technet.com\/b\/rmilne\/archive\/2013\/04\/02\/exchange-2013-cu1-released.aspx\" target=\"_blank\">Exchange 2013 CU1<\/a>. There is a <a href=\"http:\/\/blogs.technet.com\/b\/exchange\/archive\/2011\/05\/04\/how-to-manage-groups-with-groups-in-exchange-2010.aspx\" target=\"_blank\">workaround<\/a> for Exchange 2010<\/div>\n<\/li>\n<li>\n<div align=\"justify\">Make sure the mailboxes and the DGs are in the same GAL<\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\">As noted above to manage groups that they own, assign <strong>MyDistributionGroups<\/strong> to the appropriate Role Assignment Policy.\u00a0 In the below example the Default Role Assignment Policy was changed to enable this.\u00a0 Note that this will allow users to also create new Distribution Groups, so I\u2019ll cover that <a href=\"http:\/\/blogs.technet.com\/b\/rmilne\/archive\/2013\/08\/09\/allow-users-to-manage-distribution-groups-without-creating-new-ones.aspx\" target=\"_blank\">in a separate blog<\/a>.\u00a0 Also you may not want to change the Default Role Assignment Policy in your environment.\u00a0 You can have multiple Role Assignment Policies and different groups of mailboxes can have a Role Assignment Policy that maps to their business needs.<\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/8713.clip_5F00_image001_5F00_6BED32AA.jpg\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 Default Role Assignment Policy Edited To Enable MyDistributionGroups\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/4377.clip_5F00_image001_5F00_thumb_5F00_5B34EC22.jpg\" alt=\"Exchange 2010 Default Role Assignment Policy Edited To Enable MyDistributionGroups\" width=\"644\" height=\"445\" border=\"0\" \/><\/a><\/p>\n<p>Well that\u2019s the easy part done !<\/p>\n<p>So let\u2019s create a RBAC Role, and for the purposes of this test do a direct role assignment to one user account, though this can easily be a group and would be the recommended methodology.<\/p>\n<h1>Creation &amp; Management of Mail Enabled Contacts in Active Directory<\/h1>\n<p align=\"justify\">End users cannot create contacts in AD by default, but we can change the default RBAC to allow this.\u00a0 The trick is to assign just the minimum permissions possible.\u00a0 RBAC is aware of the permissions that have been assigned to a person, and will change the display to reflect the assigned permissions.\u00a0 If you do not have access to do something, then you will not see that option.<\/p>\n<p align=\"justify\">Where to start?\u00a0 We need to know which role contains the cmdlet that we want to leverage.\u00a0 In this case we want the New-MailContact cmdlet, and to see in which roles it is present we can use Get-ManagementRole and the \u2013Cmdlet parameter<\/p>\n<blockquote>\n<p align=\"justify\"><em>Get-ManagementRole -Cmdlet New-MailContact<\/em><\/p>\n<\/blockquote>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/5314.image_5F00_190A1D48.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 RBAC - Checking Which Role(s) Contain Necessary cmdlet\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/5353.image_5F00_thumb_5F00_53851D1C.png\" alt=\"Exchange 2010 RBAC - Checking Which Role(s) Contain Necessary cmdlet\" width=\"644\" height=\"104\" border=\"0\" \/><\/a><\/p>\n<p align=\"justify\">We can see that the Mail Recipient Creation contains the cmdlet that we need.\u00a0 It also contains a bunch of other cmdlets that would grant too many capabilities.\u00a0 A full listing is shown below for reference.<\/p>\n<blockquote>\n<p align=\"justify\"><em>Get-ManagementRoleEntry \u2013Identity \u201cMail Recipient Creation\\*\u201d<\/em><\/p>\n<\/blockquote>\n<p align=\"justify\"><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/8863.image_5F00_0AEB2E4B.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 RBAC - Management Role Entries Contained in Mail Recipient Creation Management Role\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/0636.image_5F00_thumb_5F00_0861FC8D.png\" alt=\"Exchange 2010 RBAC - Management Role Entries Contained in Mail Recipient Creation Management Role\" width=\"644\" height=\"336\" border=\"0\" \/><\/a><\/p>\n<p align=\"justify\">The built-in roles are read only and cannot be changed, so we cannot remove any cmdlets from them.\u00a0 What we can, and will do, is to create a writable copy and make the necessary changes to our copied Management Role.<\/p>\n<p align=\"justify\">\n<p align=\"justify\">To create a new role called <strong>AD-Contact-Editors<\/strong> based off the built-in \u201cMail Recipient Creation\u201d<\/p>\n<blockquote>\n<p align=\"justify\"><em>New-ManagementRole \u2013Name AD-Contact-Editors \u2013Parent \u201cMail Recipient Creation\u201d<\/em><\/p>\n<\/blockquote>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/5226.image_5F00_4C923E0C.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 RBAC -  Creating New Management Role\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/2728.image_5F00_thumb_5F00_264FE4B4.png\" alt=\"Exchange 2010 RBAC -  Creating New Management Role\" width=\"644\" height=\"92\" border=\"0\" \/><\/a><\/p>\n<p align=\"justify\">Right now, our newly created AD-Contact-Editors role is a mirror copy of the original parent role.\u00a0 Thus it has all the cmdlets and parameters the parent has.\u00a0 Now we need to strip all of the unwanted cmdlets from our new role. Ultimately we want to leave in the bare minimum.<\/p>\n<p align=\"justify\">You could strip each cmdlet out one at a time.\u00a0 For this exercise it will be easier to remove all but one and then add a couple back in.\u00a0 We cannot remove all of the role entries, which is why we leave one behind.\u00a0 Let\u2019s leave just Get-MailContact in the role.\u00a0 To remove the role entries, we shall pass the unwanted cmdlets through to Remove-ManagementRoleEntry.\u00a0 So all cmdlets that are not Get-MailContact will be removed.<\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/5417.image_5F00_09364E78.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 RBAC -  Removing Unwanted Management Role Entries\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/7357.image_5F00_thumb_5F00_35DF0851.png\" alt=\"Exchange 2010 RBAC -  Removing Unwanted Management Role Entries\" width=\"644\" height=\"107\" border=\"0\" \/><\/a><\/p>\n<p>Top Tip:<\/p>\n<p>Always check the objects that are returned prior to piping to the remove cmdlet.<\/p>\n<p>So in this case we would run<\/p>\n<blockquote><p><em>Get-ManagementRoleEntry\u00a0 -Identity AD-Contact-Editors\\* | Where-Object {$_.Name -ne &#8216;Get-MailContact&#8217;}<\/em><\/p><\/blockquote>\n<p>Only when we are happy with what is returned should we run:<\/p>\n<blockquote><p><em>Get-ManagementRoleEntry\u00a0 -Identity AD-Contact-Editors\\* | Where-Object {$_.Name -ne &#8216;Get-MailContact&#8217;} | Remove-ManagementRoleEntry<\/em><\/p><\/blockquote>\n<p>If we check to see what\u2019s now in the AD-Contact-Editors Management Role, it only contains the Get-MailContact cmdlet.<\/p>\n<blockquote><p><em>Get-ManagementRoleEntry \u2013Identity AD-Contact-Editors\\*<\/em><\/p><\/blockquote>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/0523.image_5F00_2D0F0005.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 RBAC -  Checking Current Management Role Entries\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/6607.image_5F00_thumb_5F00_56369843.png\" alt=\"Exchange 2010 RBAC -  Checking Current Management Role Entries\" width=\"644\" height=\"95\" border=\"0\" \/><\/a><\/p>\n<p>Let\u2019s add back New-MailContact using New-ManagementRoleEntry<\/p>\n<blockquote><p><em>Add-ManagementRoleEntry \u2013Identity \u201cAD-Contact-Editors\\New-MailContact\u201d<\/em><\/p><\/blockquote>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/0638.image_5F00_3AB19640.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 RBAC -  Adding Required Management Role Entries Back In\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/0334.image_5F00_thumb_5F00_2BBA4159.png\" alt=\"Exchange 2010 RBAC -  Adding Required Management Role Entries Back In\" width=\"644\" height=\"61\" border=\"0\" \/><\/a><\/p>\n<p>If we try and test this in ECP, we only have the capabilities to manage ourselves at this point so we need to add a couple more cmdlets back in.\u00a0 We need to add<\/p>\n<ul>\n<li>Remove-MailContact<\/li>\n<li>Get-Recipient<\/li>\n<li>Set-Recipient<\/li>\n<\/ul>\n<blockquote><p><em>Add-ManagementRoleEntry \u2013Identity \u201cAD-Contact-Editors\\Remove-MailContact\u201d<\/em><\/p>\n<p><em>Add-ManagementRoleEntry \u2013Identity \u201cAD-Contact-Editors\\Get-Recipient\u201d<\/em><\/p>\n<p>&nbsp;<\/p><\/blockquote>\n<p>This should give you a management role that looks like this:<\/p>\n<blockquote><p><em>Get-ManagementRoleEntry \u201cAD-Contact-Editors\u201d<\/em><\/p><\/blockquote>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/2133.image_5F00_131B07FA.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 RBAC -  Checking Required Management Role Entries\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/4113.image_5F00_thumb_5F00_325DAECD.png\" alt=\"Exchange 2010 RBAC -  Checking Required Management Role Entries\" width=\"644\" height=\"119\" border=\"0\" \/><\/a><\/p>\n<p align=\"justify\">In case you are wondering why we have not added Set-MailContact to our custom role, there is a very good reason.\u00a0 Custom Management Roles can only contain cmdlets and parameters that exist in their parent role.\u00a0 If you check out the original contents of the custom role there is no Set-MailContact cmdlet in it, thus we can never add it to this role.<\/p>\n<p>Assign the new role to a user.\u00a0 User-10 will our fluffy and cute guinea pig.<\/p>\n<p><em>New-ManagementRoleAssignment -Role AD-Contact-Editors -User User-10<\/em><\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/0841.image24_5F00_21526EF1.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 RBAC -  Assigning Custom Management Role Directly To Mailbox\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/4478.image24_5F00_thumb_5F00_207A0907.png\" alt=\"Exchange 2010 RBAC -  Assigning Custom Management Role Directly To Mailbox\" width=\"644\" height=\"103\" border=\"0\" \/><\/a><\/p>\n<p>To check that the Management Role was correctly assigned, we could run:<\/p>\n<p>Get-ManagementRoleAssignment -Role AD-Contact-Editors<\/p>\n<p>Time to test!<\/p>\n<h1>Testing &amp; Validation<\/h1>\n<p align=\"justify\">Probably the most important portion is testing and validation, and is often overlooked.<\/p>\n<p align=\"justify\">Test, test and test like you mean it <img decoding=\"async\" class=\"wlEmoticon wlEmoticon-smile\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/6406.wlEmoticon_2D00_smile_5F00_4DF6C45F.png\" alt=\"Smile\" \/>.<\/p>\n<p align=\"justify\">You can allow your end users to use PowerShell to manage create and edit the contacts, though I suspect the admin assistant that wants to use PowerShell will be few and far between\u2026.<\/p>\n<p align=\"justify\">Chances are they will like the nice graphical ECP interface, so let\u2019s focus on that.<\/p>\n<p align=\"justify\">\n<p align=\"justify\">Bellow is what our test user (user-10) sees in ECP.\u00a0 Note this is the manage my org view.\u00a0 All they can see is the External Contacts tab.<\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/7711.image_5F00_5FD7BC97.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 ECP Showing User Editing Contacts\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/3463.image_5F00_thumb_5F00_181633B0.png\" alt=\"Exchange 2010 ECP Showing User Editing Contacts\" width=\"644\" height=\"448\" border=\"0\" \/><\/a><\/p>\n<p>In their Groups ECP view they see:<\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/6136.image_5F00_36ECA78E.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 ECP Showing User Editing Groups\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/6560.image_5F00_thumb_5F00_63292E72.png\" alt=\"Exchange 2010 ECP Showing User Editing Groups\" width=\"644\" height=\"441\" border=\"0\" \/><\/a><\/p>\n<p>And they can add the contacts to the DG<\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/1108.image_5F00_6903D20B.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Exchange 2010 ECP User Editing Editing Distribution Group\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/7827.image_5F00_thumb_5F00_415D55E1.png\" alt=\"Exchange 2010 ECP User Editing Editing Distribution Group\" width=\"424\" height=\"484\" border=\"0\" \/><\/a><\/p>\n<p>Outlook also will show the correct directory information.\u00a0 This is how Outlook 2010 sees the DG:<\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/0574.image_5F00_6033C9BF.png\"><img loading=\"lazy\" decoding=\"async\" title=\"Outlook 2010 Showing Same Directory Information\" src=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-91-09-metablogapi\/5710.image_5F00_thumb_5F00_388D4D95.png\" alt=\"Outlook 2010 Showing Same Directory Information\" width=\"644\" height=\"344\" border=\"0\" \/><\/a><\/p>\n<h1>Conclusion<\/h1>\n<p align=\"justify\">RBAC in Exchange 2010 allows for a lot of great customisation to the default built-in roles.\u00a0 For many customers the default roles will work fine, and if not they can be easily customised.<\/p>\n<p align=\"justify\">For the users that you grant these permissions they will be able to manage\/edit\/delete all the contacts in the organisation.<\/p>\n<p align=\"justify\">\n","protected":false},"excerpt":{"rendered":"<p>Copy-pasted from: http:\/\/blogs.technet.com\/b\/rmilne\/archive\/2013\/08\/07\/creating-rbac-role-to-delegate-contact-management.aspx Building Blocks We will need to permit: Management of Distribution Groups in Active Directory Creation and management of Mail Enabled Contacts in Active Directory Management toolset to manage the above Management of Distribution Groups Exchange 2010 does not allow a user to manage groups that they own by default.\u00a0 All of the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,13],"tags":[],"class_list":["post-762","post","type-post","status-publish","format-standard","hentry","category-exchange","category-novosti"],"_links":{"self":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts\/762","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=762"}],"version-history":[{"count":1,"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts\/762\/revisions"}],"predecessor-version":[{"id":763,"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts\/762\/revisions\/763"}],"wp:attachment":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}