How to Edit AD User Fields with ECP / OWA.
Summary: How to create a management role with ECP / OWA. This system allows users with a tool and privileges to change AD Users' Identity, Title, Department, Company, and Manager Fields.
Issue: Manager request to edit additional user fields from the OWA/ ECP site. Request includes Identity, Title, Department, Company, and Manager fields.
Background: The manager is currently assigned to the Help Desk role group that allows basic address changes to staff contact information within AD; changes to additional fields are not permitted.
Limitation: Exchange 2010 ECP provides built-in management roles. Editing extended role attributes are only possible with PowerShell.
Solution:
Create AD Security Group:
Implementation allows managers (or help desk) to view and edit the organization fields for all AD users.
References:
http://www.networksteve.com/exchange/topic.php/Help_Desk_Role/?TopicId=4086&Posts=5
http://social.technet.microsoft.com/Forums/exchange/en-US/b491efb9-093d-4236-89a0-307041284765/how-to-allow-users-to-edit-title-and-department-in-ecpowa
*Additional organizational attributes:
http://technet.microsoft.com/en-us/library/ee617215.aspx
Issue: Manager request to edit additional user fields from the OWA/ ECP site. Request includes Identity, Title, Department, Company, and Manager fields.
Background: The manager is currently assigned to the Help Desk role group that allows basic address changes to staff contact information within AD; changes to additional fields are not permitted.
Limitation: Exchange 2010 ECP provides built-in management roles. Editing extended role attributes are only possible with PowerShell.
Solution:
Create AD Security Group:
- Create a new security group in AD (e.g. ECP_OWA-User_Fields). Group members will have permission to edit all users' organization fields.
Create New Management Role:
- Create new management role based on Mail Recipients:
New-ManagementRole -name "Mail Recipients Extended" -Parent "Mail Recipients" - Remove unnecessary management roles:
Get-managementRoleEntry "Mail Recipients Extended\*" | where { $_.Name –ne "Set-User"} | Remove-ManagementRoleEntry
- Provide extended organization attributes (additional users' organization fields)*:
Set-ManagementRoleEntry "Mail Recipients Extended\Set-User" -Parameters Identity,Title,Department,Company,Manager - Associate new role with Exchange Mail Recipients role:
Get-managementRoleEntry "Mail Recipients\Get-*" | Add-ManagementRoleEntry -Role "Mail Recipients Extended"
Create New Management Role Assignment:
- Assign role to group:
New-ManagementRoleAssignment -name "Edit-User-Title-Dept" -Role "Mail Recipients Extended" –securityGroup “ECP_OWA-User_Fields” - Assign View-Only Recipients to group:
New-ManagementroleAssignment -role "View-Only Recipients" –SecurityGroup “ECP_OWA-User_Fields” - Assign managers' user accounts to new security group membership in AD.
Implementation allows managers (or help desk) to view and edit the organization fields for all AD users.
Last updated July 1, 2014 by Steven Jordan
References:
http://www.networksteve.com/exchange/topic.php/Help_Desk_Role/?TopicId=4086&Posts=5
http://social.technet.microsoft.com/Forums/exchange/en-US/b491efb9-093d-4236-89a0-307041284765/how-to-allow-users-to-edit-title-and-department-in-ecpowa
*Additional organizational attributes:
http://technet.microsoft.com/en-us/library/ee617215.aspx