A users can directly log into the ECP by hitting https://yoururl.com/ecp or after they logon to OWA by selecting the options button in to top right.

What you see in the graphic above is the default view that a standard user will receieve in ECP, but I want us to understand how this is controlled. I am not going to go into much detail in this article but users that have been delegated the appropriate rights have the ability to create mailboxes, groups, contacts, and other tasks via ECP

Exchange 2007 brought somthing new called Exchange Management Shell (EMS) and  Exchange has been based upon the shell since Exchange 2007. In Exchange 2010 we now have modifed how permissioning will be done, with Role Based Authentication Control (RBAC).  RBAC as we will see says which commands a user or Admin can execute.

Lets use an example:

 users now have the ability to modify certain directory properties like thier phone number through the  ECP.

When a user adds a city to thier properties they are executing the set-user command to be able to edit that AD property.

In the graphic above you notice that Las tName, First Name, Email Address, and Display Name are grayed out. This is because by default the users do not have the ability to execute those commands…..

How do I know what users can run?

Lets open a EMS windows and use the command get-mailbox brian.tirch  | fl role*

From this you can see that my mailbox is receiving the default policy.

Now lets take a look at this  policy  with the following commands Get-RoleAssignmentPolicy “default role assignment policy”

[PS] C:\>Get-RoleAssignmentPolicy “default role assignment policy”
IsDefault         : True
Description       : This policy grants end users permissions to set their Outlook Web App options and perform other se
                    f-administration tasks.
AdminDisplayName  :
ExchangeVersion   : 0.11 (14.0.509.0)
Name              : Default Role Assignment Policy
Identity          : Default Role Assignment Policy
RBAC-Policy

IsValid           : True

We do not get to much data from that command but we can see that this policy is set to be the default for all users

Now lets run the following command

 Get-ManagementRoleAssignment

The get-managementroleassignment will show us all the roles that have been assigned, through this we will see there are a number of roles that are assigned to the Default Role Assignment Policy

Lets narrow our scope with the following command (Get-ManagementRoleAssignment | where {$_.roleassigneename -eq ‘Default role assignment policy’}) | ft Name,RoleassigneeName

Name                                                                                    Role                                                                    RoleAssigneeName
—-                                                                                              —-                                                                    —————-
MyBaseOptions-Default Role Assignmen…          MyBaseOptions                                               Default Role Assignment Policy
MyContactInformation-Default Role As…           MyContactInformation                                Default Role Assignment Policy
MyVoiceMail-Default Role Assignment …           MyVoiceMail                                                    Default Role Assignment Policy
MyTextMessaging-Default Role Assignm…         MyTextMessaging                                            Default Role Assignment Policy
MyDistributionGroupMembership-Defaul…      MyDistributionGroupMembership           Default Role Assignment Policy

Wow…. now that we know there are 5 roles that combine to provide us with the Default Role Assignment Policy, but we still do not know what each one allows us to do.

We are now 1 step closer to finding out what allow a users to perform certain tasks….  We can use the get-mangementrole command to break things down….

PS] C:\>Get-ManagementRole  my*

name                                                                             RoleType
—                                                                                      ——–
myBaseOptions                                                        MyBaseOptions
myContactInformation                                       MyContactInformation
myDiagnostics                                                         MyDiagnostics
myDistributionGroupMembership                MytributionGroupMembership
myDistributionGroups                                       MyDistributionGroups
myProfileInformation                                        MyProfileInformation
myRetentionPolicies                                           MyRetentionPolicies
myTextMessaging                                                 MyTextMessaging
myVoiceMail                                                          MyVoiceMail

As you can see there are some additional roles that are not assigned by default to users but have been created by the Exchange team for us. I am only going to break down 1 of these role since there will be a lot of data to look at.

Lets run the following command: Get-ManagementRole myBaseOptions | fl

I have highliged the Role Entries section below, as this is the section that allows a user to change a number of properites 

RoleEntries                 : {(Microsoft.Exchange.Management.PowerShell.E2010) Set-MailboxSpellingConfiguration -Check
                              BeforeSend -Confirm -DictionaryLanguage -ErrorAction -ErrorVariable -Identity -IgnoreMixe
                              dDigits -IgnoreUppercase -OutBuffer -OutVariable -WarningAction -WarningVariable -WhatIf,
                               (Microsoft.Exchange.Management.PowerShell.E2010) Set-MailboxRegionalConfiguration -Confi
                              rm -DateFormat -ErrorAction -ErrorVariable -Identity -Language -LocalizeDefaultFolderName
                               -OutBuffer -OutVariable -TimeFormat -TimeZone -WarningAction -WarningVariable -WhatIf, (
                              Microsoft.Exchange.Management.PowerShell.E2010) Set-MailboxMessageConfiguration -AfterMov
                              eOrDeleteBehavior -AlwaysShowBcc -AlwaysShowFrom -AutoAddSignature -Confirm -Conversation
                              SortOrder -DefaultFontColor -DefaultFontFlags -DefaultFontName -DefaultFontSize -DefaultF
                              ormat -EmptyDeletedItemsOnLogoff -ErrorAction -ErrorVariable -HideDeletedItems -Identity
                              -IgnoreDefaultScope -NewItemNotification -OutBuffer -OutVariable -PreviewMarkAsReadBehavi
                              or -PreviewMarkAsReadDelaytime -ReadReceiptResponse -ShowConversationAsTree -SignatureHtm
                              l -SignatureText -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.
                              PowerShell.E2010) Set-MailboxJunkEmailConfiguration -BlockedSendersAndDomains -ContactsTr
                              usted -Enabled -ErrorAction -ErrorVariable -Identity -IgnoreDefaultScope -OutBuffer -OutV
                              ariable -TrustedListsOnly -TrustedSendersAndDomains -WarningAction -WarningVariable, (Mic
                              rosoft.Exchange.Management.PowerShell.E2010) Set-MailboxCalendarFolder -Confirm -DetailLe
                              vel -ErrorAction -ErrorVariable -Identity -OutBuffer -OutVariable -PublishDateRangeFrom -
                              PublishDateRangeTo -PublishedCalendarUrl -PublishEnabled -SearchableUrlEnabled -WarningAc
                              tion -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Set-Mailb
                              oxCalendarConfiguration -Confirm -DefaultReminderTime -ErrorAction -ErrorVariable -Identi
                              ty -OutBuffer -OutVariable -RemindersEnabled -ReminderSoundEnabled -ShowWeekNumbers -Time
                              Increment -WarningAction -WarningVariable -WeekStartDay -WhatIf -WorkDays -WorkingHoursEn
                              dTime -WorkingHoursStartTime -WorkingHoursTimeZone, (Microsoft.Exchange.Management.PowerS
                              hell.E2010) Set-MailboxAutoReplyConfiguration -AutoReplyState -Confirm -EndTime -ErrorAct
                              ion -ErrorVariable -ExternalAudience -ExternalMessage -Identity -IgnoreDefaultScope -Inte
                              rnalMessage -OutBuffer -OutVariable -StartTime -WarningAction -WarningVariable -WhatIf, (
                              Microsoft.Exchange.Management.PowerShell.E2010) Set-Mailbox -AcceptMessagesOnlyFrom -Acce
                              ptMessagesOnlyFromDLMembers -AcceptMessagesOnlyFromSendersOrMembers -DeliverToMailboxAndF
                              orward -ErrorAction -ErrorVariable -ExternalOofOptions -ForwardingAddress -GrantSendOnBeh
                              alfTo -Identity -Languages -MailTip -MailTipTranslations -OutBuffer -OutVariable -RejectM
                              essagesFrom -RejectMessagesFromDLMembers -RejectMessagesFromSendersOrMembers -RequireSend
                              erAuthenticationEnabled -UserCertificate -UserSMimeCertificate -WarningAction -WarningVar
                              iable, (Microsoft.Exchange.Management.PowerShell.E2010) Set-MailUser -ErrorAction -ErrorV
                              ariable -Identity -MailTip -MailTipTranslations -OutBuffer -OutVariable, (Microsoft.Excha
                              nge.Management.PowerShell.E2010) Set-InboxRule -ApplyCategory -BodyContainsWords -Confirm
                               -CopyToFolder -Debug -DeleteMessage -DomainController -ErrorAction -ErrorVariable -Excep
                              tIfBodyContainsWords -ExceptIfFlaggedForAction -ExceptIfFrom -ExceptIfFromAddressContains
                              Words -ExceptIfHasAttachment -ExceptIfHasClassification -ExceptIfHeaderContainsWords -Exc
                              eptIfMessageTypeMatches -ExceptIfMyNameInCcBox -ExceptIfMyNameInToBox -ExceptIfMyNameInTo
                              OrCcBox -ExceptIfMyNameNotInToBox -ExceptIfReceivedAfterDate -ExceptIfReceivedBeforeDate
                              -ExceptIfRecipientAddressContainsWords -ExceptIfSentOnlyToMe -ExceptIfSentTo -ExceptIfSub
                              jectContainsWords -ExceptIfSubjectOrBodyContainsWords -ExceptIfWithImportance -ExceptIfWi
                              thinSizeRangeMaximum -ExceptIfWithinSizeRangeMinimum -ExceptIfWithSensitivity -FlaggedFor
                              Action -Force -ForwardAsAttachmentTo -ForwardTo -From -FromAddressContainsWords -HasAttac
                              hment -HasClassification -HeaderContainsWords -Identity -MarkAsRead -MarkImportance -Mess
                              ageTypeMatches -MoveToFolder -MyNameInCcBox -MyNameInToBox -MyNameInToOrCcBox -MyNameNotI
                              nToBox -Name -OutBuffer -OutVariable -Priority -ReceivedAfterDate -ReceivedBeforeDate -Re
                              cipientAddressContainsWords -RedirectTo -SentOnlyToMe -SentTo -StopProcessingRules -Subje
                              ctContainsWords -SubjectOrBodyContainsWords -Verbose -WarningAction -WarningVariable -Wha
                              tIf -WithImportance -WithinSizeRangeMaximum -WithinSizeRangeMinimum -WithSensitivity, (Mi
                              crosoft.Exchange.Management.PowerShell.E2010) Set-CalendarProcessing -AddAdditionalRespon
                              se -AdditionalResponse -AddNewRequestsTentatively -AddOrganizerToSubject -AllBookInPolicy
                               -AllowConflicts -AllowRecurringMeetings -AllRequestInPolicy -AllRequestOutOfPolicy -Auto
                              mateProcessing -BookingWindowInDays -BookInPolicy -Confirm -ConflictPercentageAllowed -De
                              leteAttachments -DeleteComments -DeleteNonCalendarItems -DeleteSubject -EnableResponseDet
                              ails -EnforceSchedulingHorizon -ErrorAction -ErrorVariable -ForwardRequestsToDelegates -I
                              dentity -IgnoreDefaultScope -MaximumConflictInstances -MaximumDurationInMinutes -Organize
                              rInfo -OutBuffer -OutVariable -ProcessExternalMeetingMessages -RemoveForwardedMeetingNoti
                              fications -RemoveOldMeetingMessages -RemovePrivateProperty -RequestInPolicy -RequestOutOf
                              Policy -ResourceDelegates -ScheduleOnlyDuringWorkHours -TentativePendingApproval -Warning
                              Action -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Set-CAS
                              Mailbox -ActiveSyncDebugLogging -Confirm -ErrorAction -ErrorVariable -Identity -ImapMessa
                              gesRetrievalMimeFormat -ImapProtocolLoggingEnabled -ImapUseProtocolDefaults -OutBuffer -O
                              utVariable -PopMessagesRetrievalMimeFormat -PopProtocolLoggingEnabled -PopUseProtocolDefa
                              ults -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E
                              2010) Search-MessageTrackingReport -Confirm -ErrorAction -ErrorVariable -Identity -Messag
                              eEntryId -MessageId -OutBuffer -OutVariable -Recipients -ResultSize -Sender -Subject -War
                              ningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Rem
                              ove-MailboxFolderPermission -AccessRights -Confirm -Debug -DomainController -ErrorAction
                              -ErrorVariable -Identity -OutBuffer -OutVariable -User -Verbose -WarningAction -WarningVa
                              riable -WhatIf, (Microsoft.Exchange.Management.PowerShell.E2010) Remove-InboxRule -Confir
                              m -Debug -DomainController -ErrorAction -ErrorVariable -Force -Identity -OutBuffer -OutVa
                              riable -Verbose -WarningAction -WarningVariable -WhatIf, (Microsoft.Exchange.Management.P
                              owerShell.E2010) Remove-ActiveSyncDevice -ErrorAction -ErrorVariable -Identity -OutBuffer
                               -OutVariable -WarningAction -WarningVariable…}
RoleType                    : MyBaseOptions
ImplicitRecipientReadScope  : Self
ImplicitRecipientWriteScope : Self
ImplicitConfigReadScope     : OrganizationConfig
ImplicitConfigWriteScope    : OrganizationConfig
IsRootRole                  : True
IsEndUserRole               : True
MailboxPlanIndex            :
Description                 : This role enables individual users to view and modify the basic configuration of their ow
                              n mailbox and associated settings.
IsDeprecated                : False
AdminDisplayName            :
ExchangeVersion             : 0.12 (14.0.451.0)
Name                        : MyBaseOptions

IsValid                     : True

Since the above is a lot of information to take in  let break down a few of the role entries :

Set-MailboxSpellingConfiguration -CheckBeforeSend -Confirm -DictionaryLanguage -ErrorAction -ErrorVariable -Identity -IgnoreMixe
                              dDigits -IgnoreUppercase -OutBuffer -OutVariable -WarningAction -WarningVariable -WhatIf,

Here we have a shell command called Set-MailboxSpellingConfiguration cmdlet which allows a users to modify Microsoft Office Outlook Web App spell checking options for a specified user. For example, you can set the dictionary language and configure the spelling checker to ignore mixed digits or words in all uppercase.

Since the users has the ability to run this command, when they are logged into ECP the user will be able to change the follwoing settings.

If we modify the allowed role entries, we can make it so a user cannot ignore words in upper case , this is done by removing the  switch  -IgnoreUppercase or we could even make it so that a user cannot change any of the spelling settings by removing Set-MailboxSpellingConfiguration and all the extentions.

You should not be able to see that everything in Exchange 2010 is now based on a shell command, those commands even for Admins are controled through RBAC.