How to Edit AD User Fields with ECP / OWA.

Summary:  How to create a management role with ECP / OWA.  This system allows users with a tool and privileges to change AD Users' Identity, Title, Department, Company, and Manager Fields.

Issue:  Manager request to edit additional user fields from the OWA/ ECP site.  Request includes Identity, Title, Department, Company, and Manager fields.

Background:  The manager is currently assigned to the Help Desk role group that allows basic address changes to staff contact information within AD; changes to additional fields are not permitted.

Limitation:  Exchange 2010 ECP provides built-in management roles.  Editing extended role attributes are only possible with PowerShell.


Solution:

     Create AD Security Group:

  1. Create a new security group in AD (e.g.  ECP_OWA-User_Fields).  Group members will have permission to edit all users' organization fields.
     Create New Management Role:
  1. Create new management role based on Mail Recipients:

          New-ManagementRole -name "Mail Recipients Extended" -Parent "Mail Recipients"
  2. Remove unnecessary management roles:

         Get-managementRoleEntry "Mail Recipients Extended\*" | where { $_.Name –ne "Set-User"} | Remove-ManagementRoleEntry
  3.  Provide extended organization attributes (additional users' organization fields)*:

         Set-ManagementRoleEntry "Mail Recipients Extended\Set-User" -Parameters Identity,Title,Department,Company,Manager

  4. Associate new role with Exchange Mail Recipients role:

         Get-managementRoleEntry "Mail Recipients\Get-*" | Add-ManagementRoleEntry -Role "Mail Recipients Extended"
     Create New Management Role Assignment:
  1. Assign role to group:

         New-ManagementRoleAssignment -name "Edit-User-Title-Dept" -Role "Mail Recipients Extended" –securityGroup “ECP_OWA-User_Fields”
  2. Assign View-Only Recipients to group:

         New-ManagementroleAssignment -role "View-Only Recipients" –SecurityGroup “ECP_OWA-User_Fields”
  3. Assign managers' user accounts to new security group membership in AD.


Implementation allows managers (or help desk) to view and edit the organization fields for all AD users.

Last updated  July 1, 2014 by Steven Jordan

References:

http://www.networksteve.com/exchange/topic.php/Help_Desk_Role/?TopicId=4086&Posts=5

http://social.technet.microsoft.com/Forums/exchange/en-US/b491efb9-093d-4236-89a0-307041284765/how-to-allow-users-to-edit-title-and-department-in-ecpowa

*Additional organizational attributes:
http://technet.microsoft.com/en-us/library/ee617215.aspx



2 Comments

  1. I did this and it works great, however, do you know how I could remove the "Mail Control" and "Phone and Voice" options as well?

    In addition, is it possible to remove the "Distribution Groups" and "External Contacts" tabs?

    Lastly, Is it possible to restrict which users they can update?

    ReplyDelete
    Replies
    1. Hi Jeff,

      We can't do much about the Mail Control/Phone & Voice buttons. However, we made sure to remove unnecessary management roles. Assigned users can see the the buttons but they cannot perform administrative tasks (e.g., search for others' email reports).

      The same goes for distribution groups and external contacts. We can hide and restrict delivery for either objects from their properties within the Exchange management GUI.

      We have more flexibility in regard to restricting which users our role group manages. We can restrict by setting the management scope for our new group. For example, change the recipient restriction filter for all users that live in Milwaukee:

      Set-ManagementScope "ECP_OWA-User_Fields" -RecipientRestrictionFilter { City -Eq "Milwaukee" -And RecipientType -Eq "UserMailbox" }

      Alternately, change the scope to only allow administrative access for a specific OU:

      Set-ManagementScope "ECP_OWA-User_Fields" -ServerRestrictionFilter { ServerSite -Eq "Madison,CN=Sites,CN=Configuration,DC=stevenjordan,DC=net" }

      We can accomplish something similar by editing the management role:

      Set-ManagementRoleAssignment "Mail Recipients Extended" -RecipientOrganizationalUnitScope "stevenjordan.net/Wisconsin/GB/Users"

      N.B., Any custom scopes on the role assignment are overwritten with the Set-ManagementRoleAssignment command.


      http://technet.microsoft.com/en-us/library/dd297996%28v=exchg.150%29.aspx
      http://technet.microsoft.com/en-us/library/dd297996%28v=exchg.150%29.aspx

      Delete

My Instagram