Last week I had the opportunity of visiting Brussels, Gent, and Mons to talk about the wonderful new features included within Exchange 2010. During this Exchange 2010 RoadShow, I’ve done several demo’s, and I always said that I would blog every Shell cmdlet I used, so this is part 1 🙂
In this blog post I want to show you how you can create a new Role-Assignment-Policy, which enables you to decide which attributes your mailbox-enabled users will be able to change using their Outlook Web App.
Every mailbox-enabled user in Exchange 2010 will by default have the Default Role Assignment Policy assigned, which enables him/her to change quite a few attributes on his/her own account using Outlook Web App.
Let’s create a new mailbox-enables user, called Employee1, using the Exchange Management Shell. As can be seen after creation, this user has the Default Role Assignment Policy assigned.
Using Outlook Web App, this Default Role Assignment Policy, enables Employee1 to change for example his street address and his phone number, as can be seen in the pictures below:
Having a look at the Default Role Assignment Policy
So what does this Default Role Assignment entail? Here we need to turn to the Exchange Management Shell to find out.
Running the cmdlet Get-ManagementRoleAssignment, we can find out which roles have been assigned to the Default Role Assignement Policy.
Looking at the role MyContactInformation, it’s clear that’s the role which enables the user to set its own user account and change attributes like Phone Number and Street Address.
Another search reveals that users who have been delegated administrator roles like UM Mailboxes, or Mail Recipients will be able to change settings for the user accounts as well (limited to any scope, like Organizational Unit and so on)
Creating a new role
Since I do not want to change any of the default built-in roles (don’t change the built-in roles, so you can always fall back if needed!), I’m creating a new one, and by adding the parameter –Parent, I create a new role MyEmployeesBasic, which is in fact a copy of the built-in role MyContactInformation.
Create a new RoleAssignment Policy
Using the Shell I create a new RoleAssignment Policy:
Followed by adding all needed roles to this new role-assignment policy, which will include the same ones as the default role assignment policy, except for the new MyEmployeesBasic, which will replace the MyContactInformation.
Change the Role Assignment Policy for a user
In order to change the role assignment policy for a user you can use both the Exchange Control Panel or use the Shell:
Since I don’t want some users to be able to change their Street Address, and Phone number, I need to remove those parameters from the newly created role MyEmployeesBasic:
Checking the change using OWA
Logging into OWA, Employee1 is no longer able to change its Street Address, and Phone number as wanted:-)
Until next post