Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
How to prevent users from editing their own contact details through ECP

Introduction

By default, users are allowed to update/change their personal information through the Exchange Control Panel.
However, there might be good reasons for you not wanting your users being able making those changes.

Role Based Access Control (RBAC)

The ability to change your contact information is – by default - controlled through the “Default Role Assignment Policy”.
If you haven’t changed a user’s policy (by creating and assigning a new one), he/she gets this policy assigned by default.

A Role Assignment Policy consists of some Management Roles that are “tied” to this policy using Management Role Assignments.

First, let’s take a look at the different Management Roles that exist. Running the Get-ManagementRole cmdlet will output a list of all available Management Roles:

image
(note: I’ve omitted the entire list of results from the screenshot to limit it’s size)

In the list you will normally see some Management Roles that start with “My”. Let’s take a close look at these using the following cmdlet:

Get-ManagementRole “My*” | ft Name,Description

image

The result is a list of all so-called user-focused management roles. You will see the “MyContactInformation” management role. If you take a look at the full description for this management role, you will see that this is actually the role we want to focus on:

image

To remove the user’s ability to change his/her contact information, we only need to remove the Management Role from the Default Role Assignment Policy by removing the corresponding Management Role Assignment. To do so, we first need to know which Management Role Assignment is used to tie the Management Role to the Policy:

Get-ManagementRoleAssignment “My*” | ?{$_.RoleAssigneeName –eq “Default Role Assignment Policy”} | ft Name,RoleAssigneeName

image

Here, we can see that the Management Role is tied to the Policy using the following Role Assignment: “MyContactInformation-Default Role Assignment Policy”. To verify that this is indeed the correct one, let’s dig just a little deeper:

Get-ManagementRoleAssignment “MyContactInformation-Default Role Assignment Policy” | fl Name,Role,RoleAssignee

image

As you will see, this is indeed the correct Role Assignment. Although the name of the RoleAssignment is self-explanatory; this does not necessarily mean that it will always be the case. Although it’s a best practice to name role assignments cleary (e.g. “ManagementRole-RoleGroup” or “ManagementRole-RoleAssignmentPolicy”), it might very well be possible that someone created a role assignment with a less descriptive name.

All that is left now, is removing the role assignment. Doing so will actually remove a user’s ability to modify his/her contact details:

Remove-ManagementRoleAssignment “MyContactInformation-Default Role Assignment Policy”

image

Exchange Control Panel (ECP)

This was actually the “hard” way. There’s another (easier) way in which we can achieve the same goal. Using ECP, we can also control the “Default Role Assignment Policy”:

image

When taking a look at the details from the Default Role Assignment Policy, it suffices unchecking the desired options and saving the changes:

image

Conclusion

Both the Exchange Management Shell and Exchange Control Panel can be used to make the necessary changes. Although the ECP is easier for making changes, the Exchange Management Shell will give you more control and offer more insight on how RBAC works.


Posted 10-30-2011 6:42 by Michael Van Horenbeeck
Filed under: , ,