In Exchange 2010, by default users have permission to edit their contact information from the Exchange Control Panel. In organizations where this is unwanted, like when account information is provisioned, you need to remove these permissions.
These permissions flow from the Default Role Assignment Policy.
Note: You could have changed the default role assignment. To view the default assignment policy, check the IsDefault attribute, e.g.
Get-RoleAssignmentPolicy | Where { $_.IsDefault -eq $True }
Now, each mailbox-enabled user is assigned the default policy when created. You can verify this by inspecting the RoleAssignmentPolicy using Get-Mailbox, e.g.
The assigned roles of this policy can be viewed using Get-ManagementRoleAssignment:
The ability to edit contact information lies in the MyContactInformation. You can view a description of this role using:
Get-ManagementRole MyContactInformation | select Description
The output reads, “This role enables individual users to modify their contact information, including address and phone numbers.”
To remove this ability you have the option of removing the assignment or you can simply disable the assignment using Set-ManagementRoleAssignment, e.g.
Set-ManagementRoleAssignment -Identity "MyContactInformation-Default Role Assignment Policy" -Enabled $false
Now after logging into OWA the contact information is view-only (despite the Edit button) and the Save option is gone.
Note that after performing this step, if you want to enable contact information for some users, you need to create a new RoleAssignmentPolicy, similar to the default one but with the MyContactInformation and assign that policy to those users. For example:
New-RoleAssignmentPolicy "Default Role Assignment Policy with Info" Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | New-ManagementRoleAssignment -Policy "Default Role Assignment Policy with Info"
You can use the same exercise to remove other unwanted functions, like the ability to create distribution groups (MyDistributionGroups) or to manage distribution group memberships (MyDistributionGroupMembership).
so great post for me, thank you very much
LikeLike
thanks very useful
LikeLike
Good tip. Is there a way to do this and prevent exchange admin’s from creating archiving mailboxes when setting up new user mailboxes
thanks
LikeLike
Create a specific role for those admins using the Mail Recipient Creation as a parent (template) management role and strip all unwanted elements:
New-ManagementRole “Limited Mail Recipient Creation” -Parent “Mail Recipient Creation”
Then strip the unwanted parameters from the appropriate cmdlets using Set-ManagementRoleEntry, e.g.
Set-ManagementRoleEntry “Limited Mail Recipient Creation\New-Mailbox” -Parameters Archive -RemoveParameter
Note that this leaves the option for Mail Recipients open to enable archiving since that’s a different role.
After that, switch the role assignment to the modified management role or – better – create a new role group and go from there. I’d advise against modifying exists roles because not only is modifying certain default elements impossible, you also have the chance of locking yourself out when making a mistake.
More info on RBAC structure so you can see how things relate, see
https://eightwone.com/2009/12/08/exchange-2010-delegation-model/
LikeLike
Pingback: How to edit your contact info in OWA | Jason (Izzy) Sherry's Blog
You saved me from a huge headache. Thank you very much!
LikeLike
Great article – any chance it can be updated for Exchange 2013? “MyContactInformation-Default Role Assignment Policy” doesn’t exist as a Role Assignment for us.
LikeLike
It disabled Contact Location and Contact Numbers fields, but what about disabling the “Change Photo” option?
LikeLike
Get-OwaVirtualDirectory -ShowMailboxVirtualDirectories | Set-OwaVirtualDirectory -SetPhotoEnabled $false
and recycle the below application pools
Default App Pool
OWA App Pool
ECP App Pool
LikeLike
Hi Teams,
will there be an impact with address book?
Regrads
LikeLike
It’s to prevent end users modifying centrally administered attributes. Address book is generated using these attributes, regardless of this configuration.
LikeLike
For testing related how to apply to on single user how to use following powershell cmdlet
Set-ManagementRoleAssignment -Identity “MyContactInformation-Default Role Assignment Policy” -Enabled $false
LikeLike