Update 21-11-2013: If you want the additional contact fields to be edited then please review this post.
I had an interesting question the other week about solving a business challenge a customer had with regards to delegating the creation of contact objects in Active Directory. In their previous messaging system users were managing their own external distribution groups, adding and removing external people, and they wanted to do the same in Exchange 2010.
A default Exchange 2010 installation does not grant these capabilities by default, so we have to do a little configuration. Role Based Access Control (RBAC) was introduced by Microsoft in Exchange 2010 and is used to control access to the messaging environment.
I thought that this would be worth sharing so that the solution is published and the logic of creating the custom RBAC role is discussed.
We will need to permit:
Exchange 2010 does not allow a user to manage groups that they own by default. All of the necessary plumbing is present, you just have to enable the feature. This is explained in detail here. Couple of things to note:
As noted above to manage groups that they own, assign MyDistributionGroups to the appropriate Role Assignment Policy. In the below example the Default Role Assignment Policy was changed to enable this. Note that this will allow users to also create new Distribution Groups, so I’ll cover that in a separate blog. Also you may not want to change the Default Role Assignment Policy in your environment. You can have multiple Role Assignment Policies and different groups of mailboxes can have a Role Assignment Policy that maps to their business needs.
Well that’s the easy part done !
So let’s create a RBAC Role, and for the purposes of this test do a direct role assignment to one user account, though this can easily be a group and would be the recommended methodology.
End users cannot create contacts in AD by default, but we can change the default RBAC to allow this. The trick is to assign just the minimum permissions possible. RBAC is aware of the permissions that have been assigned to a person, and will change the display to reflect the assigned permissions. If you do not have access to do something, then you will not see that option.
Where to start? We need to know which role contains the cmdlet that we want to leverage. In this case we want the New-MailContact cmdlet, and to see in which roles it is present we can use Get-ManagementRole and the –Cmdlet parameter
Get-ManagementRole -Cmdlet New-MailContact
We can see that the Mail Recipient Creation contains the cmdlet that we need. It also contains a bunch of other cmdlets that would grant too many capabilities. A full listing is shown below for reference.
Get-ManagementRoleEntry –Identity “Mail Recipient Creation\*”
The built-in roles are read only and cannot be changed, so we cannot remove any cmdlets from them. What we can, and will do, is to create a writable copy and make the necessary changes to our copied Management Role.
To create a new role called AD-Contact-Editors based off the built-in “Mail Recipient Creation”
New-ManagementRole –Name AD-Contact-Editors –Parent “Mail Recipient Creation”
Right now, our newly created AD-Contact-Editors role is a mirror copy of the original parent role. Thus it has all the cmdlets and parameters the parent has. Now we need to strip all of the unwanted cmdlets from our new role. Ultimately we want to leave in the bare minimum.
You could strip each cmdlet out one at a time. For this exercise it will be easier to remove all but one and then add a couple back in. We cannot remove all of the role entries, which is why we leave one behind. Let’s leave just Get-MailContact in the role. To remove the role entries, we shall pass the unwanted cmdlets through to Remove-ManagementRoleEntry. So all cmdlets that are not Get-MailContact will be removed.
Top Tip:
Always check the objects that are returned prior to piping to the remove cmdlet.
So in this case we would run
Get-ManagementRoleEntry -Identity AD-Contact-Editors\* | Where-Object {$_.Name -ne 'Get-MailContact'}
Only when we are happy with what is returned should we run:
Get-ManagementRoleEntry -Identity AD-Contact-Editors\* | Where-Object {$_.Name -ne 'Get-MailContact'} | Remove-ManagementRoleEntry
If we check to see what’s now in the AD-Contact-Editors Management Role, it only contains the Get-MailContact cmdlet.
Get-ManagementRoleEntry –Identity AD-Contact-Editors\*
Let’s add back New-MailContact using New-ManagementRoleEntry
Add-ManagementRoleEntry –Identity “AD-Contact-Editors\New-MailContact”
If we try and test this in ECP, we only have the capabilities to manage ourselves at this point so we need to add a couple more cmdlets back in. We need to add
Add-ManagementRoleEntry –Identity “AD-Contact-Editors\Remove-MailContact” Add-ManagementRoleEntry –Identity “AD-Contact-Editors\Get-Recipient”
Add-ManagementRoleEntry –Identity “AD-Contact-Editors\Remove-MailContact”
Add-ManagementRoleEntry –Identity “AD-Contact-Editors\Get-Recipient”
This should give you a management role that looks like this:
Get-ManagementRoleEntry “AD-Contact-Editors”
In case you are wondering why we have not added Set-MailContact to our custom role, there is a very good reason. Custom Management Roles can only contain cmdlets and parameters that exist in their parent role. If you check out the original contents of the custom role there is no Set-MailContact cmdlet in it, thus we can never add it to this role.
Assign the new role to a user. User-10 will our fluffy and cute guinea pig.
New-ManagementRoleAssignment -Role AD-Contact-Editors -User User-10
To check that the Management Role was correctly assigned, we could run:
Get-ManagementRoleAssignment -Role AD-Contact-Editors
Time to test!
Probably the most important portion is testing and validation, and is often overlooked.
Test, test and test like you mean it .
You can allow your end users to use PowerShell to manage create and edit the contacts, though I suspect the admin assistant that wants to use PowerShell will be few and far between….
Chances are they will like the nice graphical ECP interface, so let’s focus on that.
Bellow is what our test user (user-10) sees in ECP. Note this is the manage my org view. All they can see is the External Contacts tab.
In their Groups ECP view they see:
And they can add the contacts to the DG
Outlook also will show the correct directory information. This is how Outlook 2010 sees the DG:
RBAC in Exchange 2010 allows for a lot of great customisation to the default built-in roles. For many customers the default roles will work fine, and if not they can be easily customised.
For the users that you grant these permissions they will be able to manage/edit/delete all the contacts in the organisation.
This blog shows the basic framework for editing and customising RBAC. By following the same process of identifying the role you need to work with, copying it and then customising the copied role you can provide a tailored solution to meet your organisation’s needs.
This will allow for the a basic mail enabled contact to be created. If you want the additional contact fields to be edited then please see this post.
Cheers,
Rhoderick
If you would like to have Microsoft Premier Field Engineering (PFE) visit your company and assist with the topic(s) presented in this blog post, then please contact your Microsoft Premier Technical Account Manager (TAM) for more information on scheduling and our varied offerings!
If you are not currently benefiting from Microsoft Premier support and you’d like more information about Premier, please email the appropriate contact below, and tell them you how you got introduced!
US
Canada
For all other areas please use the US contact point.
Could add more points on get - windows features
Hi Guowen - was this the blog you intended to comment on?
Get-window feature does not "feature" here at all.
cheers,
Dude your the man!!! This helped me alot
Well after testing that I can only -
1. I can only create a contact
2. I cannot add a phone # to it
3. I cannot go back to edit it
what other permissions do I need to add to be able to do this, looks like I 'm almost there.
Hi Marc,
I'll bet that this is due to that Set-MailContact is not within the ManagementRoleEntry
Add that badboy back in and let us know how you get on please. That was not what the customer who asked for this originally wanted, but we should be able to accommodate your request too :)
I tried to add it back in but I get this error -
[PS] C:\Windows\system32>Add-ManagementRoleEntry -Identity "AD-Contact-Editors\Set-Recipient"
The "Set-Recipient" management role entry wasn't found on the "Mail Recipient Creation" management role. Make sure you
typed it correctly, and try again
+ CategoryInfo : NotSpecified: (0:Int32) [Add-ManagementRoleEntry], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 3961CEC7,Microsoft.Exchange.Management.RbacTasks.AddManagementRoleEntry
I tried Set-MailContact it errored out the same way
Hey marc, That would be expected as it is not in the parent role, there should be a note in the above about that. I thought you had a separate role assignment with that.
let me grab the exact syntax for you
Marc - this post will go live tomorrow morning just after 09:00 EST
blogs.technet.com/.../creating-rbac-role-to-delegate-editing-contacts.aspx
Try that out and let me know how you get on please!
Marc - did that work for you?
Hi, any chance the user can modify the contact? he can add or delete, but not modify.thanksYuan
Yuan, did you read this one? http://blogs.technet.com/b/rmilne/archive/2013/11/21/creating-rbac-role-to-delegate-editing-contacts.aspx. cheers,Rhoderick
thanks, it worked
Groovy! Do let me know if there are other good RBAC scenarios that you need covered.Cheers,Rhoderick
Hi Rhoderick, Must say nice blog... but I do have a different scenario here. I want to create a RBAC role for a set of users where they should have permissions to run cmdlets but only for specific cmdlets. For example if I say they should be able to run 2-3 specific cmdlets through EMS to do the changes. Is there any way to configure RBAC where we can allow specific cmdlets and restrict others. Please suggest. Thanks in advance!!!! Cheers, Abi