locked
how to allow users to edit Title and Department in ECP/OWA? RRS feed

  • Question

  • By default users seem to be able to edit their contact info (phone and fax and address).  How can we set it up so users are allowed to also edit their Title and Department?  I couldn't find anything on this in the RBAC documentation...

    thanks!
    Wes
    Sunday, January 31, 2010 7:43 PM

All replies

  • Hi Wes,

    In Exchange 2010 new Role Based Access Controls and the Exchange Control Panel allows IT Admins to move specific self-service tasks to end users and they carry out these tasks in the Exchange Control Panel web UI. The self-service tasks are things like distribution group mgmt and being able to update attributes like a users Title or Department.

    Permissions Model

    Exchange 2010 extends the access control entry (ACE)-based permission model Microsoft offers with Exchange 2007 to include a new authorization layer using role-based access control (RBAC). RBAC lets you define broad or precise permissions based on the roles of administrators and special end users. This means that you can define your permissions model in Exchange 2010 to match an organizational model without increasing complexity. The default role groups in Exchange 2010 should actually be sufficient for most enterprises, although you can create custom role groups if you like.

    Said another way, RBAC now controls operational administrative and special user tasks and the extent to which users can self-administer their mailboxes, distribution groups and so forth.

    http://technet.microsoft.com/en-us/library/bb232078.aspx

    http://technet.microsoft.com/en-us/magazinebeta/ee835720.aspx


    Sachin Shetty| MCP|MCTS|MCITP| Please remember to mark the replies as answers and Vote as helpful if they help and unmark them if they provide no help.Thank you in advance.
    Sunday, January 31, 2010 8:39 PM
  • Hi Sachin, I understand that RBAC will likely be what I use to enable this - but my question is how to do so...  I don't see anything in the links that you provided that shed light on this...  Please let me know if I missed it somehow...

    thanks,
    Wes
    Sunday, January 31, 2010 8:44 PM
  • bizzump - anyone know how to do this?
    Tuesday, February 2, 2010 10:46 PM
  • Hi-

    I haven't tried this but if you can do it, I think you need to add the -Title and -Department parameters (via Management Role Entries) to the MyPersonalInformation or MyProfileInformation Management Roles. Let me know how it goes - I can try and mess around with it if need be. I'm just going off the top of my head here so this might all be fiction.
    Active Directory, 4th Edition - www.briandesmond.com/ad4/
    Wednesday, February 3, 2010 12:26 AM
  • I am trying to add the Title and Office parameters to MyContactInformation but I get:

    "The precanned management role "MyContactInformation" can't be modified"


    The cmdlet I used was: Set-ManagementRoleEntry "MyContactInformation\Set-User" -Parameters Title, Office, Type -AddParameter
    Wednesday, February 3, 2010 1:17 AM
  • You cannot edit the pre-canned ones, you need to copy the precanned and edit. But you cannot add a cmdlets to the copied one unless it is in the parent....... (the one you copied)

    At the moment I cannot find the right parent with this in, which makes sense as you would not need to turn it on if it is there, so it looks like we need to create a blank one and add the role entries which is what I am going to be working on tomorrow (when I get up)

    I am working on getting this info for you, but it might not be until tomorrow, but I will get the steps you need.
    Wednesday, February 3, 2010 2:33 AM
  • No problem, really appreciate the help!

    I guess my other question is that, if we create a new one instead of using the precanned --- what is it that ECP uses to determine what gets shown?  Is it whatever role is assigned to the user, or is it just stuck showing the MyContactInformation one regardless?

    thanks!
    Wes
    Wednesday, February 3, 2010 2:35 AM
  • All will be reveiled..... but we will assign to users using the role assignment policy (RAP)
    Wednesday, February 3, 2010 2:38 AM
  • Just to let you know, I have not forgotten, I have been working on it today but still have some testing to do tomorrow, sorry for the delay
    Thursday, February 4, 2010 1:37 AM
  • no problem, very much appreciate the assistance =)
    Thursday, February 4, 2010 1:39 AM
  • Slacker. ;)
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Enterprise Server 2010, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    LMNOP
    Thursday, February 4, 2010 1:47 AM
  • almost tempted to report you then, but they might agree.....
    Thursday, February 4, 2010 2:05 AM
  • lol.  Good talkin' to you today, chap.
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Enterprise Server 2010, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    LMNOP
    Thursday, February 4, 2010 2:15 AM
  • So I just looked at the source for the page that drives that info. It has a hardcoded set of attributes that it will display. You can add the user to whatever RBAC stuff is necessary to let them write to their Title and Department attributes, but, the UI isn't going to magically display them. You'd have to add the textboxes and then I don't know whether it's dynamically able to handle that or not, but, either way would not really be supportable.

    The textboxes that are there evaluate whether or not you can write to individual cmdlet parmeters.
    Active Directory, 4th Edition - www.briandesmond.com/ad4/
    Thursday, February 4, 2010 2:18 AM
  • Your right, I have two work around's that might help you, but essentially your correct
    Thursday, February 4, 2010 2:21 AM
  • This was my concern.  Why the heck would microsoft add in just phone and address and not anything else?
    Thursday, February 4, 2010 2:21 AM
  • I have not spoken to the PM yet (he was out today) but I plan on providing this feedback.

    But I guess there has to be a limit somewhere as to what to display and what not to display, what do the majority of customers want to see. I would be more than happy to pass this info back to the teams, if you have a list of what you would consider a must.

    That said, I will still post your options later once I have tested them tomorrow. There not perfect but they do allow users to change the data. 
    Thursday, February 4, 2010 2:28 AM
  • This was my concern.  Why the heck would microsoft add in just phone and address and not anything else?

    Personal guess... title/department changes are probably most often handled by HR departments while other items like phone might be more apt to be changed by the user themselves. Otherwise you risk everyone in the company suddenly being a president, director, "cube monster", "master and commander of the far side of the world" showing up in the GAL. I agree it would be nice to be able to toss other fields in there, but that's my guess for the logic.
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Enterprise Server 2010, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    LMNOP
    Thursday, February 4, 2010 2:31 AM
  • Yeah I can see that.  Sigh.  Was hoping to be able to stop paying for rDirectory.  Wonder how hard it is to build a custom basic web-based interface that ties into RBAC...
    Thursday, February 4, 2010 2:33 AM
  • That sounds logical, that said this is good feedback and I would be really interested in what extra you would want to see.
    Thursday, February 4, 2010 2:36 AM
  • Yeah I can see that.  Sigh.  Was hoping to be able to stop paying for rDirectory.  Wonder how hard it is to build a custom basic web-based interface that ties into RBAC...

    How about this approach. What if it was possible via ECP/RBAC to let users edit their title, but it required a moderator to approve the change just like the moderated DLs work? If that was possible would it remove your need for rDirectory or building a custom interface just for that?

    Edit: With HR or the users's Manager (as set in AD) being the recipient of the moderator.


    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Enterprise Server 2010, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    LMNOP
    Thursday, February 4, 2010 2:39 AM
  • Absolutely - especially if the moderator could be any user that we assign (such as an HR person or some other designated moderator and not necessarily helpdesk staff)
    Thursday, February 4, 2010 2:40 AM
  • I will show you later how you can give permissions to users to change the details via powershell, you could build a app that used remote powershell to do this yes. Don't ask me how though.
    Thursday, February 4, 2010 2:41 AM
  • lol, H/R admin might as well do it himself/herself sounds like increasing work load to me
    Thursday, February 4, 2010 2:43 AM
  • That shot me down!!!
    Thursday, February 4, 2010 2:46 AM
  • In our case we'd definitely like to have user access to:

    Title
    Dept
    Office

    We would also be fine with a way to open this up to a designated user, such as an HR administrator etc without opening up any other Exchange administration to them -- similar to how administrators can switch between "Select what to manage: Myself/My Organization/Another User"
    Thursday, February 4, 2010 2:48 AM
  • oh good, thats option 2. We can do that...

    Thursday, February 4, 2010 2:52 AM
  • Yeah an HR person or perhaps whomever is the user's Manager as set in AD.
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Enterprise Server 2010, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    LMNOP
    Thursday, February 4, 2010 2:55 AM
  • Hi Blackuke, any update on how we might achieve this functionality?

    thanks!
    Tuesday, February 9, 2010 9:19 PM
  • Might want to look into deploying Jim McBee's Directory Update if you need to customize a self-service portal for AD attributes.

    http://www.directory-update.com/
    Tuesday, February 9, 2010 10:41 PM
  • Perfect timing, I am just working on it, sorry for the delay
    Tuesday, February 9, 2010 11:09 PM
  • Here is option 1, quite simple but will allow your user to change the Title and deplartment themselves but they will need to use Powershell which is a downside but like you said before you should be able to build a app front end to this.

    Option1:

    This will allow an end user to amend their Title and Department through PowerShell

    In order to allow user to modify these options, you need to create a custom RBAC role out of the Mail Recipients role.

    We can determine what role we need to copy by running:

    Get-ManagementroleEntry *\set-user -Parameters Department,title


    The following creates a new management role called Mail Recipients Custom. For now, this role is exactly the same as the original MailRecipients role.

    New-ManagementRole -Name "Mail Recipients Custom" -Parent "Mail Recipients"

     

    To list the roles entries (cmdlets) of New Role:

    Get-ManagementRole "Mail Recipients Custom" | fl *RoleEntries*


    What we do now is remove all but one Entry from the role. PowerShell won't let you remove all of the entries and for what we are doing leaving the get-user cmdlet in was a reasonable one to leave there. It is very important to note that if you want to do the set version of a cmdlet you should have the get version of the same cmdlet on the role. It is hard to modify what you can't see!

    Get-managementRoleEntry "Mail Recipients Custom\*" | where { $_.Name –ne "Get-User"} | Remove-ManagementRoleEntry

     


    Now we add back the one set cmdlet that we want with only the parameters that we need.

    Add-ManagementRoleEntry "Mail Recipients Custom\Set-User" -Parameters Title,Department

     


    If this is just one user, you can directly assign to the user - usera. Alternatively, use *-RoleGroup and assign this to a group. Make sure set the write scope to Self so the user isn’t making changes for others.

    New-ManagementRoleAssignment -Role "Mail Recipients Custom" -User usera -RecipientRelativeWriteScope Self

     


    Enable remote PowerShell for the user

    Set-User usera -RemotePowerShellEnabled $true


    Testing

    Connect Remote Exchange Management Shell to an Exchange Server

    http://technet.microsoft.com/en-us/library/dd297932.aspx

    $cred = Get-Credential
    $session = new-pssession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<Server FQDN>/PowerShell/ -Credential $cred
    Import-PSSession $session
    Get-mailbox
    Set-User <User> -Title <Title> -department <department>

    I will work on testing and writing up option 2 now and post when it is done. Option 2 enables the ECP option.
    Tuesday, February 9, 2010 11:22 PM
  • thanks, very much looking forward to option 2!!!!

    -Wes
    Friday, March 5, 2010 7:43 PM
  • Oh my word, I am sorry I went away with work and totally forgot about this. I will finish off option two and post this week. sorry fro the delay.

    How did option 1 go? Can you work with that as you indicated you might be able to put a front end on it. Option 1 is my suggestion going forward it is just not nice if users need to use PowerShell but if you can put a app on the front.....
    Saturday, March 6, 2010 5:40 PM
  • oh it's ok :-)

    I haven't tried option 1 - i am keeping that as a fallback as I think option 2 will work so much better for our users (not to mention I don't know how to slap a front end on powershell!).  We already have a web-based tool to allow editing, but it isn't free - I was hoping we could adjust ECP to allow for this since users are already used to the OWA gui (one less tool for us to maintain and them to learn).

    thanks!
    Wes
    Saturday, March 6, 2010 6:34 PM
  • Hi Wes.

    Unfortunately we didn't build support for allowing end-users to modify Title, Office and Dept into ECP.  Most customers we talked to indicated those properties would be mastered by HR departments.  Unfortunately we won't be able to modify this in SP1.  I'll add a feature request for E15.
    Tuesday, March 9, 2010 5:09 AM
  • Hi Max, mastered by HR departments --- how??  =)
    Tuesday, March 9, 2010 9:05 AM
  • The option 2, which is a cut down version of recipient management,
    Tuesday, March 9, 2010 9:53 AM
  • ·         Option 2

    This will allow an end user to amend users Title and Department through ECP

    In order to allow user to modify these options, you need to create a custom RBAC role out of the Mail Recipients role.

    We can determine what role we need to copy by running:

    Get-ManagementroleEntry *\set-user -Parameters Department,title

    The following creates a new management role called Mail Recipients Custom. For now, this role is exactly the same as the original MailRecipients role

    New-ManagementRole - name "Mail Recipients Custom" -Parent "Mail Recipients"

    Get-managementRoleEntry "Mail Recipients Custom\*" | where { $_.Name –ne "Set-User"} | Remove-ManagementRoleEntry

    Set-ManagementRoleEntry "Mail Recipients Custom\Set-User" -Parameters Identity,Title,Department

    Get-managementRoleEntry "Mail Recipients\Get-*" | Add-ManagementRoleEntry -Role "Mail Recipients Custom"

    New-ManagementRoleAssignment -name "test" -Role "Mail Recipients Custom" -User e14testuser2

    new-managementroleassignment -role "View-Only Recipients" –user e14testuser2

     

    Login into ECP as the user and that user will now have the "My OrganiZation" drop down and will be able to change the title and department of other users.

     

    To remove these setting you can run:

    Remove-managementroleassignment –identity test

    Remove-managementroleassignment –identity “view-only recipients-e14testuser2

    Remove-managementrole –identity “Mail recipients custom”

     

    You can also alsign these permissions to a group by running the below instead:

    New-ManagementRoleAssignment -name "test" -Role "Mail Recipients Custom" –securityGroup “Mail Recipients Group”

    New-ManagementroleAssignment -role "View-Only Recipients" –SecurityGroup “Mail Recipients Group”

    I have been working to provide the option to control what the user can write to using a write scope however there are afew known issues that prevent us from doing that which the product group are aware of.

    I must point out that what we are providing the end user in option 2 is a admin role that has been modified to only contain the required cmdlets their is a danger that in the future MS will provide a update that will increase the cmdlets availible in these roles, some thing you need ot be aware of.

    • Proposed as answer by Barrett Cowan Friday, June 17, 2016 3:23 PM
    Tuesday, March 9, 2010 1:33 PM
  • Thanks Blackuke, I will try this out soon.  What other attributes could we add in here other than title and dept?

    thanks!
    Wes
    Tuesday, March 9, 2010 10:48 PM
  • Hi Blackuke, anything to be concerned about with SP1?  I am getting ready to try the above method you provided and I'm wondering if you would adjust anything or recommend a different tactic given the hosting-specific changes made with SP1.  Even though we are not in a "/hosting" environment, I am wondering if some of the (seemingly considerable) ECP improvements can be leveraged in a "normal" on-premises Exchange setup to achieve some of my goals...

    Thanks!

    Sunday, August 29, 2010 4:13 AM
  • It works!  Awesome...

    Only one problem...

    We have our users' OWA restricted to a separate Global Address List.  For OWA itself, this works fine - the user can only see their GAL entries in the address book.  However, under the ECP when they go to My Organization, it seems to be drawing from the default GAL, so they see lots of entries we don't want them to see or poke at...

    Any ideas how I can restrict what they see there?

    Thanks again!

    Wes

    Wednesday, September 29, 2010 7:28 PM
  • bizzump
    Friday, October 15, 2010 11:00 PM
  • any ideas guys?
    Tuesday, November 9, 2010 4:08 PM
  • Going through the steps above and found that:

    New-ManagementRole - name "Mail Recipients Custom" -Parent "Mail Recipients" 

    has a space before name that needs to be removed. It should be

    New-ManagementRole -name "Mail Recipients Custom" -Parent "Mail Recipients"

    -M


    • Edited by Mike T. Erwin Thursday, April 19, 2012 5:51 PM spelling
    Thursday, April 19, 2012 5:51 PM
  • Hello,

    I'm looking for a way to provide the users the possiblity to manage their Title, too.

    In the meantime, did Service Packs contain an easier way to reach that Goal?

    Working with an admin role doesn't seem an approriate solution for me and our users.

    Thanks.


    Regards Alex

    Thursday, April 4, 2013 6:50 AM
  • Option 2, by Robbie, is verified working 100%

    Thursday, June 16, 2016 9:16 PM