OWA- Exchange Control Panel (ECP) – Part1 RBAC
Now that we have take an look into a number of new features in OWA (http://www.exchange-genie.com/2009/08/owa-2010-part2-calendaring/ and http://www.exchange-genie.com/2009/07/owa-2010-part1-inbox/) its time to move onto OWA options that is now called Exchange Control Panel or ECP. The ECP has a number of new features, as well as some features that were present in previous versions of OWA.
A users can directly log into the ECP by hitting https://yoururl.com/ecp or after they logon to OWA by selecting the options button in to top right.
What you see in the graphic above is the default view that a standard user will receieve in ECP, but I want us to understand how this is controlled. I am not going to go into much detail in this article but users that have been delegated the appropriate rights have the ability to create mailboxes, groups, contacts, and other tasks via ECP
Exchange 2007 brought somthing new called Exchange Management Shell (EMS) and Exchange has been based upon the shell since Exchange 2007. In Exchange 2010 we now have modifed how permissioning will be done, with Role Based Authentication Control (RBAC). RBAC as we will see says which commands a user or Admin can execute.
Lets use an example:
users now have the ability to modify certain directory properties like thier phone number through the ECP.
When a user adds a city to thier properties they are executing the set-user command to be able to edit that AD property.
In the graphic above you notice that Las tName, First Name, Email Address, and Display Name are grayed out. This is because by default the users do not have the ability to execute those commands…..
How do I know what users can run?
Lets open a EMS windows and use the command get-mailbox brian.tirch | fl role*
From this you can see that my mailbox is receiving the default policy.
Now lets take a look at this policy with the following commands Get-RoleAssignmentPolicy “default role assignment policy”
[PS] C:\>Get-RoleAssignmentPolicy “default role assignment policy”
IsDefault : True
Description : This policy grants end users permissions to set their Outlook Web App options and perform other se
f-administration tasks.
AdminDisplayName :
ExchangeVersion : 0.11 (14.0.509.0)
Name : Default Role Assignment Policy
Identity : Default Role Assignment Policy
RBAC-Policy
IsValid : True
We do not get to much data from that command but we can see that this policy is set to be the default for all users
Now lets run the following command
Get-ManagementRoleAssignment
The get-managementroleassignment will show us all the roles that have been assigned, through this we will see there are a number of roles that are assigned to the Default Role Assignment Policy
Lets narrow our scope with the following command (Get-ManagementRoleAssignment | where {$_.roleassigneename -eq ‘Default role assignment policy’}) | ft Name,RoleassigneeName
Name Role RoleAssigneeName
—- —- —————-
MyBaseOptions-Default Role Assignmen… MyBaseOptions Default Role Assignment Policy
MyContactInformation-Default Role As… MyContactInformation Default Role Assignment Policy
MyVoiceMail-Default Role Assignment … MyVoiceMail Default Role Assignment Policy
MyTextMessaging-Default Role Assignm… MyTextMessaging Default Role Assignment Policy
MyDistributionGroupMembership-Defaul… MyDistributionGroupMembership Default Role Assignment Policy
Wow…. now that we know there are 5 roles that combine to provide us with the Default Role Assignment Policy, but we still do not know what each one allows us to do.
We are now 1 step closer to finding out what allow a users to perform certain tasks…. We can use the get-mangementrole command to break things down….
PS] C:\>Get-ManagementRole my*
name RoleType
— ——–
myBaseOptions MyBaseOptions
myContactInformation MyContactInformation
myDiagnostics MyDiagnostics
myDistributionGroupMembership MytributionGroupMembership
myDistributionGroups MyDistributionGroups
myProfileInformation MyProfileInformation
myRetentionPolicies MyRetentionPolicies
myTextMessaging MyTextMessaging
myVoiceMail MyVoiceMail
As you can see there are some additional roles that are not assigned by default to users but have been created by the Exchange team for us. I am only going to break down 1 of these role since there will be a lot of data to look at.
Lets run the following command: Get-ManagementRole myBaseOptions | fl
I have highliged the Role Entries section below, as this is the section that allows a user to change a number of properites
RoleEntries : {(Microsoft.Exchange.Management.PowerShell.E2010) Set-MailboxSpellingConfiguration -Check
BeforeSend -Confirm -DictionaryLanguage -ErrorAction -ErrorVariable -Identity -IgnoreMixe
dDigits -IgnoreUppercase -OutBuffer -OutVariable -WarningAction -WarningVariable -WhatIf,
(Microsoft.Exchange.Management.PowerShell.E2010) Set-MailboxRegionalConfiguration -Confi
rm -DateFormat -ErrorAction -ErrorVariable -Identity -Language -LocalizeDefaultFolderName
-OutBuffer -OutVariable -TimeFormat -TimeZone -WarningAction -WarningVariable -WhatIf, (
Microsoft.Exchange.Management.PowerShell.E2010) Set-MailboxMessageConfiguration -AfterMov
eOrDeleteBehavior -AlwaysShowBcc -AlwaysShowFrom -AutoAddSignature -Confirm -Conversation
SortOrder -DefaultFontColor -DefaultFontFlags -DefaultFontName -DefaultFontSize -DefaultF
ormat -EmptyDeletedItemsOnLogoff -ErrorAction -ErrorVariable -HideDeletedItems -Identity
-IgnoreDefaultScope -NewItemNotification -OutBuffer -OutVariable -PreviewMarkAsReadBehavi
or -PreviewMarkAsReadDelaytime -ReadReceiptResponse -ShowConversationAsTree -SignatureHtm
l -SignatureText -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.
PowerShell.E2010) Set-MailboxJunkEmailConfiguration -BlockedSendersAndDomains -ContactsTr
usted -Enabled -ErrorAction -ErrorVariable -Identity -IgnoreDefaultScope -OutBuffer -OutV
ariable -TrustedListsOnly -TrustedSendersAndDomains -WarningAction -WarningVariable, (Mic
rosoft.Exchange.Management.PowerShell.E2010) Set-MailboxCalendarFolder -Confirm -DetailLe
vel -ErrorAction -ErrorVariable -Identity -OutBuffer -OutVariable -PublishDateRangeFrom -
PublishDateRangeTo -PublishedCalendarUrl -PublishEnabled -SearchableUrlEnabled -WarningAc
tion -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Set-Mailb
oxCalendarConfiguration -Confirm -DefaultReminderTime -ErrorAction -ErrorVariable -Identi
ty -OutBuffer -OutVariable -RemindersEnabled -ReminderSoundEnabled -ShowWeekNumbers -Time
Increment -WarningAction -WarningVariable -WeekStartDay -WhatIf -WorkDays -WorkingHoursEn
dTime -WorkingHoursStartTime -WorkingHoursTimeZone, (Microsoft.Exchange.Management.PowerS
hell.E2010) Set-MailboxAutoReplyConfiguration -AutoReplyState -Confirm -EndTime -ErrorAct
ion -ErrorVariable -ExternalAudience -ExternalMessage -Identity -IgnoreDefaultScope -Inte
rnalMessage -OutBuffer -OutVariable -StartTime -WarningAction -WarningVariable -WhatIf, (
Microsoft.Exchange.Management.PowerShell.E2010) Set-Mailbox -AcceptMessagesOnlyFrom -Acce
ptMessagesOnlyFromDLMembers -AcceptMessagesOnlyFromSendersOrMembers -DeliverToMailboxAndF
orward -ErrorAction -ErrorVariable -ExternalOofOptions -ForwardingAddress -GrantSendOnBeh
alfTo -Identity -Languages -MailTip -MailTipTranslations -OutBuffer -OutVariable -RejectM
essagesFrom -RejectMessagesFromDLMembers -RejectMessagesFromSendersOrMembers -RequireSend
erAuthenticationEnabled -UserCertificate -UserSMimeCertificate -WarningAction -WarningVar
iable, (Microsoft.Exchange.Management.PowerShell.E2010) Set-MailUser -ErrorAction -ErrorV
ariable -Identity -MailTip -MailTipTranslations -OutBuffer -OutVariable, (Microsoft.Excha
nge.Management.PowerShell.E2010) Set-InboxRule -ApplyCategory -BodyContainsWords -Confirm
-CopyToFolder -Debug -DeleteMessage -DomainController -ErrorAction -ErrorVariable -Excep
tIfBodyContainsWords -ExceptIfFlaggedForAction -ExceptIfFrom -ExceptIfFromAddressContains
Words -ExceptIfHasAttachment -ExceptIfHasClassification -ExceptIfHeaderContainsWords -Exc
eptIfMessageTypeMatches -ExceptIfMyNameInCcBox -ExceptIfMyNameInToBox -ExceptIfMyNameInTo
OrCcBox -ExceptIfMyNameNotInToBox -ExceptIfReceivedAfterDate -ExceptIfReceivedBeforeDate
-ExceptIfRecipientAddressContainsWords -ExceptIfSentOnlyToMe -ExceptIfSentTo -ExceptIfSub
jectContainsWords -ExceptIfSubjectOrBodyContainsWords -ExceptIfWithImportance -ExceptIfWi
thinSizeRangeMaximum -ExceptIfWithinSizeRangeMinimum -ExceptIfWithSensitivity -FlaggedFor
Action -Force -ForwardAsAttachmentTo -ForwardTo -From -FromAddressContainsWords -HasAttac
hment -HasClassification -HeaderContainsWords -Identity -MarkAsRead -MarkImportance -Mess
ageTypeMatches -MoveToFolder -MyNameInCcBox -MyNameInToBox -MyNameInToOrCcBox -MyNameNotI
nToBox -Name -OutBuffer -OutVariable -Priority -ReceivedAfterDate -ReceivedBeforeDate -Re
cipientAddressContainsWords -RedirectTo -SentOnlyToMe -SentTo -StopProcessingRules -Subje
ctContainsWords -SubjectOrBodyContainsWords -Verbose -WarningAction -WarningVariable -Wha
tIf -WithImportance -WithinSizeRangeMaximum -WithinSizeRangeMinimum -WithSensitivity, (Mi
crosoft.Exchange.Management.PowerShell.E2010) Set-CalendarProcessing -AddAdditionalRespon
se -AdditionalResponse -AddNewRequestsTentatively -AddOrganizerToSubject -AllBookInPolicy
-AllowConflicts -AllowRecurringMeetings -AllRequestInPolicy -AllRequestOutOfPolicy -Auto
mateProcessing -BookingWindowInDays -BookInPolicy -Confirm -ConflictPercentageAllowed -De
leteAttachments -DeleteComments -DeleteNonCalendarItems -DeleteSubject -EnableResponseDet
ails -EnforceSchedulingHorizon -ErrorAction -ErrorVariable -ForwardRequestsToDelegates -I
dentity -IgnoreDefaultScope -MaximumConflictInstances -MaximumDurationInMinutes -Organize
rInfo -OutBuffer -OutVariable -ProcessExternalMeetingMessages -RemoveForwardedMeetingNoti
fications -RemoveOldMeetingMessages -RemovePrivateProperty -RequestInPolicy -RequestOutOf
Policy -ResourceDelegates -ScheduleOnlyDuringWorkHours -TentativePendingApproval -Warning
Action -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Set-CAS
Mailbox -ActiveSyncDebugLogging -Confirm -ErrorAction -ErrorVariable -Identity -ImapMessa
gesRetrievalMimeFormat -ImapProtocolLoggingEnabled -ImapUseProtocolDefaults -OutBuffer -O
utVariable -PopMessagesRetrievalMimeFormat -PopProtocolLoggingEnabled -PopUseProtocolDefa
ults -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E
2010) Search-MessageTrackingReport -Confirm -ErrorAction -ErrorVariable -Identity -Messag
eEntryId -MessageId -OutBuffer -OutVariable -Recipients -ResultSize -Sender -Subject -War
ningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Rem
ove-MailboxFolderPermission -AccessRights -Confirm -Debug -DomainController -ErrorAction
-ErrorVariable -Identity -OutBuffer -OutVariable -User -Verbose -WarningAction -WarningVa
riable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Remove-InboxRule -Confir
m -Debug -DomainController -ErrorAction -ErrorVariable -Force -Identity -OutBuffer -OutVa
riable -Verbose -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.P
owerShell.E2010) Remove-ActiveSyncDevice -ErrorAction -ErrorVariable -Identity -OutBuffer
-OutVariable -WarningAction -WarningVariable…}
RoleType : MyBaseOptions
ImplicitRecipientReadScope : Self
ImplicitRecipientWriteScope : Self
ImplicitConfigReadScope : OrganizationConfig
ImplicitConfigWriteScope : OrganizationConfig
IsRootRole : True
IsEndUserRole : True
MailboxPlanIndex :
Description : This role enables individual users to view and modify the basic configuration of their ow
n mailbox and associated settings.
IsDeprecated : False
AdminDisplayName :
ExchangeVersion : 0.12 (14.0.451.0)
Name : MyBaseOptions
IsValid : True
Since the above is a lot of information to take in let break down a few of the role entries :
Set-MailboxSpellingConfiguration -CheckBeforeSend -Confirm -DictionaryLanguage -ErrorAction -ErrorVariable -Identity -IgnoreMixe
dDigits -IgnoreUppercase -OutBuffer -OutVariable -WarningAction -WarningVariable -WhatIf,
Here we have a shell command called Set-MailboxSpellingConfiguration cmdlet which allows a users to modify Microsoft Office Outlook Web App spell checking options for a specified user. For example, you can set the dictionary language and configure the spelling checker to ignore mixed digits or words in all uppercase.
Since the users has the ability to run this command, when they are logged into ECP the user will be able to change the follwoing settings.
If we modify the allowed role entries, we can make it so a user cannot ignore words in upper case , this is done by removing the switch -IgnoreUppercase or we could even make it so that a user cannot change any of the spelling settings by removing Set-MailboxSpellingConfiguration and all the extentions.
You should not be able to see that everything in Exchange 2010 is now based on a shell command, those commands even for Admins are controled through RBAC.
![[Google]]( http://www.exchange-genie.com/wp-content/plugins/easy-adsense-lite/google-light.gif)
August 21st, 2009 at 11:34 am
[...] OWA- Exchange Control Panel (ECP) – Part1 RBAC [...]