Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Restricting Access to Exchange Control Panel for Users


I’ve recently been to a customer where they didn’t like the fact that end-users could update their personal information through the Exchange Control Panel. The reason is simply because there are no validation checks available to control the formatting of the information entered. For example there are numerous ways to enter a proper telephone number.

Editing personal information before it’s restricted


Now the way information is shown and controlled in ECP is like in many other places within Exchange 2010 through RBAC. By default an RBAC Role assignment policy is created for end-users, called “Default Role Assignment Policy”. This assignment policy is the default and therefore assigned to any Mailbox moved or created on Exchange 2010.

This Role Assignment Policy grants end users access to various settings on their own mailbox such as:

  • Editing Personal Information
  • Perform Message Tracking
  • Control their own Activesync partnerships
  • Updating Rules and Junk Mail Options
  • and much more.

Now to restrict access we will create a new Role Assignment Policy, remove some of the management role assignments and make this new policy default, in addition we will rename both policy to make them more distinctive.


Use the ECP to create a new RBAC User Assignment Policy

  1. First logon to OWA using and administrative account (member of the Organization Management Security Group)
  2. Now in the top left corner you can select to manage your organization
  3. Click on “Roles & Auditing”
  4. Click on “User Roles”
  5. Select the “Default Role Assignment Policy” and click on “Details”
  6. Now change the name of the policy to “Unrestricted Role Assignment Policy” (or whatever you find more appropriate). Click on Save to Continue.
  7. Now click on “New…” to create a new policy
  8. Specify the name of the policy, “Restricted Role Assignment Policy” and make sure only the MyBaseOptions role is selected.
    Now click on “Save” to store the new Role Assignment Policy.
  9. Now to make the new Role Assignment Policy the default one you’ll need to run the following Exchange cmdlet:
    Set-RoleAssignmentPolicy -identity "Restricted Role Assignment Policy" 
  10. Now log back on with an regular users and make sure you have the intended result


Use the EMS to create a new RBAC User Assignment Policy

  1. Logon to Exchange 2010 using an administrative account (member of the Organization Management Security Group)
  2. Open Exchange 2010 Management Shell
  3. First rename the default role assignment policy to something more distinctive
    Set-RoleAssignmentPolicy "Default Role Assignment Policy" 
    -Name "Unrestricted Role Assignment Policy"
  4. Then create a new role assignment policy with only the MyBaseOptions user role and make it the default policy
    New-RoleAssignmentPolicy -Name "Restricted Role Assignment Policy" 
    -Description "This policy does not allow end users to set their OWA Options and
    perform other self-administration tasks."
    -Roles MyBaseOptions -IsDefault:$True


Apply the new policy to existing mailboxes on Exchange 2010

If you already have mailboxes created on Exchange 2010 then the default (and thus unrestricted one) role assignment policy has already been applied to these mailboxes.

To apply the new, more restricted, policy to these mailboxes run the following command:

set-mailbox toninob -RoleAssignmentPolicy "Restricted Role Assignment Policy"


Now let’s see the results once we login with a regular user:


The ability to manage distribution groups has been removed from the list of options…


The save button is gone and that all text boxes are greyed out, the multi-line text box for the street address is not editable.

For more information on RBAC please refer to the following article:

Understanding Role Based Access Control


I hope this article has been helpful to you and please do provide comments if you like and share your suggestions and thoughts either personally to me or through our suggestions forum.

See you next time at a Pro-Exchange event…

Posted 01-11-2011 6:00 by Tonino
Filed under: ,