Disabling editing account information in OWA

In Exchange 2010, by default users have permission to edit their contact information from the Exchange Control Panel. In organizations where this is unwanted, like when account information is provisioned, you need to remove these permissions.

image

These permissions flow from the Default Role Assignment Policy.

Note: You could have changed the default role assignment. To view the default assignment policy, check the IsDefault attribute, e.g.

Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True }

Now, each mailbox-enabled user is assigned the default policy when created. You can verify this by inspecting the RoleAssignmentPolicy using Get-Mailbox, e.g.

image

The assigned roles of this policy can be viewed using Get-ManagementRoleAssignment:

image

The ability to edit contact information lies in the MyContactInformation. You can view a description of this role using:

Get-ManagementRole MyContactInformation | select Description

The output reads, “This role enables individual users to modify their contact information, including address and phone numbers.”

To remove this ability you have the option of removing the assignment or you can simply disable the assignment using Set-ManagementRoleAssignment, e.g.

Set-ManagementRoleAssignment -Identity "MyContactInformation-Default Role Assignment Policy" -Enabled $false 

Now after logging into OWA the contact information is view-only (despite the Edit button) and the Save option is gone.

Note that after performing this step, if you want to enable contact information for some users, you need to create a new RoleAssignmentPolicy, similar to the default one but with the MyContactInformation and assign that policy to those users. For example:

New-RoleAssignmentPolicy "Default Role Assignment Policy with Info"
Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | New-ManagementRoleAssignment -Policy "Default Role Assignment Policy with Info"

You can use the same exercise to remove other unwanted functions, like the ability to create distribution groups (MyDistributionGroups) or to manage distribution group memberships (MyDistributionGroupMembership).

9 thoughts on “Disabling editing account information in OWA

  1. Good tip. Is there a way to do this and prevent exchange admin’s from creating archiving mailboxes when setting up new user mailboxes

    thanks

    • Create a specific role for those admins using the Mail Recipient Creation as a parent (template) management role and strip all unwanted elements:
      New-ManagementRole “Limited Mail Recipient Creation” -Parent “Mail Recipient Creation”

      Then strip the unwanted parameters from the appropriate cmdlets using Set-ManagementRoleEntry, e.g.

      Set-ManagementRoleEntry “Limited Mail Recipient Creation\New-Mailbox” -Parameters Archive -RemoveParameter

      Note that this leaves the option for Mail Recipients open to enable archiving since that’s a different role.

      After that, switch the role assignment to the modified management role or – better – create a new role group and go from there. I’d advise against modifying exists roles because not only is modifying certain default elements impossible, you also have the chance of locking yourself out when making a mistake.

      More info on RBAC structure so you can see how things relate, see
      https://eightwone.com/2009/12/08/exchange-2010-delegation-model/

  2. Pingback: How to edit your contact info in OWA | Jason (Izzy) Sherry's Blog

  3. Great article – any chance it can be updated for Exchange 2013? “MyContactInformation-Default Role Assignment Policy” doesn’t exist as a Role Assignment for us.

      • Get-OwaVirtualDirectory -ShowMailboxVirtualDirectories | Set-OwaVirtualDirectory -SetPhotoEnabled $false

        and recycle the below application pools

        Default App Pool
        OWA App Pool
        ECP App Pool

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s