How to Customize Exchange 2010 RBAC Roles for Delegating User/Contact Management Part 2.

As a follow up to the last post, I decided to further restrict the Support Staff users’ access to the available Custom ‘Address Book Management’ Role cmdlets. The following commands enabled me accomplish this objective:

1) C:\>Get-ManagementRoleEntry -Identity “Address Book Management\*” | ?{$_.Name -ne “Get-User”} | Remove-ManagementRoleEntry ( This command removes all available cmdlets from this Role except the ‘Get-User’ cmdlet.

It turns out that the Get-User and Set-User cmdlets are not enough to grant the Support Staff permission to make contact information changes. The relevant cmdlets are displayed in the screenshot below:


I will now go ahead and add three more cmdlets that will be needed to properly display and edit relevant user information.

2) C:\>Add-ManagementRoleEntry -Identity “Address Book Management\Set-User” (Enables the intended support staff to edit user info).

3) C:\>Add-ManagementRoleEntry -Identity “Address Book Management\Get-Recipient”

4) C:\>Add-ManagementRoleEntry -Identity “Address Book Management\Get-Mailbox”

As indicated in the last post. At this point, a support user could login to Outlook Web Access and navigate to the top right corner for the Options button: See All Options: Manage My Organization. They are presented with a listing of Organization users and contacts and could select and make only intended changes as needed.

This entry was posted in Exchange 2010 SP2, Exchange Cmdlets, Exchange Management Roles, Exchange Management Shell, Microsoft Exchange, PowerShell, RBAC, Role Based Access Control and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s