As a follow up to the last post, I decided to further restrict the Support Staff users’ access to the available Custom ‘Address Book Management’ Role cmdlets. The following commands enabled me accomplish this objective:

1) C:\>Get-ManagementRoleEntry -Identity “Address Book Management\*” | ?{$_.Name -ne “Get-User”} | Remove-ManagementRoleEntry ( This command removes all available cmdlets from this Role except the ‘Get-User’ cmdlet.

It turns out that the Get-User and Set-User cmdlets are not enough to grant the Support Staff permission to make contact information changes. The relevant cmdlets are displayed in the screenshot below:

I will now go ahead and add three more cmdlets that will be needed to properly display and edit relevant user information.

2) C:\>Add-ManagementRoleEntry -Identity “Address Book Management\Set-User” (Enables the intended support staff to edit user info).

3) C:\>Add-ManagementRoleEntry -Identity “Address Book Management\Get-Recipient”

4) C:\>Add-ManagementRoleEntry -Identity “Address Book Management\Get-Mailbox”

As indicated in the last post. At this point, a support user could login to Outlook Web Access and navigate to the top right corner for the Options button: See All Options: Manage My Organization. They are presented with a listing of Organization users and contacts and could select and make only intended changes as needed.