Let’s say you’re tired to create new external contacts and want to assign this right to another user. Or the user is tired to wait for an administrator to make a mail contact. Typical use of external contacts is inside mail distribution groups, because you cannot simply add an e-mail address to the group.
First of all you need to find the right role which contains the right command. In this case the needed command is New-MailContact. You can search the right role with the following command in Exchange Management Shell:
Get-ManagementRole | Get-ManagementRoleEntry | where {$_.name -eq "new-mailcontact"}
The result will look like this:
So the role which contains the right to add new contacts is “Mail Recipient Creation”. This role contains a lot of other commands. To see, what commands are available for this role:
Get-ManagementRole "Mail Recipient Creation" | Get-ManagementRoleEntry
You will get a lot of commands:
For this task you don’t need all those entries. You need only New-MailContact and Get-MailContact. But in fact you need also Get-Recipient, because without this your end user cannot see the Organization Administration part in the Outlook Web App. So you need to create a new role, which is a little bit more restrictive. To accomplish this, use this command:
New-ManagementRole -Name "Contact Editor Role" -Parent "Mail Recipient Creation"
This will make a clone or sub role to the existing recipient creation role. To remove unnecessary commands from the new role, use this command:
Get-ManagementRole "Contact Editor Role" | Get-ManagementRoleEntry | where {$_.name -ne "get-recipient"} | Remove-ManagementRoleEntry
Add-ManagementRoleEntry "Contact Editor Role\Get-MailContact"
Add-ManagementRoleEntry "Contact Editor Role\New-MailContact"
First line removes all possible commands except get-recipient. After that I add two extra commands: Get-MailContact and New-MailContact.
Now, when Role is created with correct tasks available (Role Entry), you need to create a role group. This is best done using OWA or ECP logged on as Exchange Administrator. ECP can be accessed in OWA using the Options menu:
Choose “Manage” and from there “My Organization”:
Choose Roles & Auditing and click New… button:
Fill in Role Group name, add previously created “Contact Editor Role” and choose members (user, who can add new contacts):
Optionally you can choose Organization Unit, but it’s useless, because in ECP the user can create MailContacts only to /Users folder. It’s not even an OU.
Now log on to OWA with the end user account. Go to Options, choose to manage “My Organization” and voila! The “New” button is available in Contacts section.
As you notice, you cannot delete or modify contacts. For that, you can add more role entries. For changes to get in effect, you need to close end-user browser and reopen it to see new buttons to appear.
Hello,
ReplyDeleteWhenver we do this:
Get-ManagementRole "Contact Editor Role" | Get-ManagementRoleEntry | where {$_.name -ne "get-recipient"} | Remove-ManagementRoleEntry
We get this error:
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
The management role must contain at least one cmdlet.
+ CategoryInfo : NotSpecified: (Contact Editor Role:ADObjectId) [Remove-ManagementRoleEntry], DataValidat
ionException
+ FullyQualifiedErrorId : 7F597524,Microsoft.Exchange.Management.RbacTasks.RemoveManagementRoleEntry
The management role must contain at least one cmdlet.
+ CategoryInfo : NotSpecified: (:) [], DataValidationException
+ FullyQualifiedErrorId : B5EE9F73
First try 'Get-ManagementRole "Contact Editor Role"' command. If it succeedes, then try 'Get-ManagementRole "Contact Editor Role" | Get-ManagementRoleEntry' to see where the prompt is appearing
DeleteIt does not appear when we run the command. We are also seams to be missing "Roles & Auditing" tab in My Organization Management.
DeleteI figured out that Get-Recipient was missing from the "Mail Recipient Creation" Role.
DeleteIn order for this article to work you have to have minimum Exchange 2010 SP1
ReplyDeleteThat's right
Delete