How to Edit AD User Fields with ECP / OWA.

Summary:  How to create a management role with ECP / OWA.  This system allows users with a tool and privileges to change AD Users' Identity, Title, Department, Company, and Manager Fields.

Issue:  Manager request to edit additional user fields from the OWA/ ECP site.  Request includes Identity, Title, Department, Company, and Manager fields.

Background:  The manager is currently assigned to the Help Desk role group that allows basic address changes to staff contact information within AD; changes to additional fields are not permitted.

Limitation:  Exchange 2010 ECP provides built-in management roles.  Editing extended role attributes are only possible with PowerShell.


     Create AD Security Group:

  1. Create a new security group in AD (e.g.  ECP_OWA-User_Fields).  Group members will have permission to edit all users' organization fields.
     Create New Management Role:
  1. Create new management role based on Mail Recipients:

          New-ManagementRole -name "Mail Recipients Extended" -Parent "Mail Recipients"
  2. Remove unnecessary management roles:

         Get-managementRoleEntry "Mail Recipients Extended\*" | where { $_.Name –ne "Set-User"} | Remove-ManagementRoleEntry
  3.  Provide extended organization attributes (additional users' organization fields)*:

         Set-ManagementRoleEntry "Mail Recipients Extended\Set-User" -Parameters Identity,Title,Department,Company,Manager

  4. Associate new role with Exchange Mail Recipients role:

         Get-managementRoleEntry "Mail Recipients\Get-*" | Add-ManagementRoleEntry -Role "Mail Recipients Extended"
     Create New Management Role Assignment:
  1. Assign role to group:

         New-ManagementRoleAssignment -name "Edit-User-Title-Dept" -Role "Mail Recipients Extended" –securityGroup “ECP_OWA-User_Fields”
  2. Assign View-Only Recipients to group:

         New-ManagementroleAssignment -role "View-Only Recipients" –SecurityGroup “ECP_OWA-User_Fields”
  3. Assign managers' user accounts to new security group membership in AD.

Implementation allows managers (or help desk) to view and edit the organization fields for all AD users.

Last updated  July 1, 2014 by Steven Jordan


*Additional organizational attributes:

Distribution Group Management via Outlook Web App

Outlook Web App distribution group management is a handy tool built into Exchange 2010.  The primary benefits allow end users to create and self manage distribution groups.  This tool can also allow help desk access to the email server to assist end users.

To enable the service, first log onto Outlook Web App, with the Administrator account.

1.  Enable “My Distribution Groups” for the default Role Assignment Policy.

Outlook Web App → Options → See All Options → Manage My Organization → Roles & Auditing → User Roles → Default Role Assignment Policy

· This allows users to manage Groups from their Outlook Web App sessions. 
o    Additional group owners may be assigned by current group owners.

· Users may search public groups and request permission to join from the group owners.
o   Restrictions can be changed to allow auto join or leave.

       2.  To assign management of groups to specific users:

Outlook Web App → Options → See All Options → Manage My Organization → Users & Groups → Distribution Groups

·  Edit specific group to make changes to ownership, membership, approvals, etc…

    3.  When logged onto Outlook Web App as a user account (non-admin) Public Group options will be available.
·  Edit Public Groups owned by the user.
·  View groups user belongs to.  Leave group.
·  Search groups.  Request permission to join distribution groups.
·  Sue, Bob, Ned, or whomever can all manage groups with this tool.

Managed Service Accounts

A common issue that pops up is deciding which service account to use for a specific application or service .  What is the best practice for creating and using service accounts to operate Windows services and applications?

Microsoft has resolved this issue with the MSA (Managed Service Account) in Windows 2008 R2.  

     1.  Create the MSA in AD using the AD nodule for PowerShell:

          New-ADServiceAccount -Name [MSA account name] -Enabled $true

   2. Associate the MSA to a computer:

          Add-ADComputerServiceAccount -Identity [AD Computer Account] -ServiceAccount

     3.  Install the MSA on the associated computer:

          Install-ADServiceAccount -Identity [MSA Account]

     4.   Associate the new MSA with the service.

          Services.MSC → Edit Service Properties
           → Edit "Log On" Tab.

     * Use domain\MSA format
     * Do no enter a password.