Help Desk Role
The default Help Desk management role in Exchange 2010 doesn't allow members to edit information in the Organization category (Title, Company, Department, etc.) I don't want to add our level 1 help desk to the Recipient Management role. It gives more rights than they need. What do I need to do to add the ability to edit these fields to the default permission set in the Help Desk role? Thanks, Craige
August 26th, 2010 11:22pm
You are not asking an Exchange question since the information you are looking to change resides in Active Directory. take a look at: http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html and see if you want embark on something like this. "clukowicz1" wrote in message news:5a942a7c-bc7b-4b60-9c65-0bb01f84275c... The default Help Desk management role in Exchange 2010 doesn't allow members to edit information in the Organization category (Title, Company, Department, etc.) I don't want to add our level 1 help desk to the Recipient Management role. It gives more rights than they need. What do I need to do to add the ability to edit these fields to the default permission set in the Help Desk role? Thanks, Craige Mark Arnold, Exchange MVP.
August 27th, 2010 4:04pm
Yet, these fields are not greyed out for users in the Recipient Management role defined within Exchange 2010. These fields are available to edit within the properties of a mail-enabled user within ECP, so there is a tie-in to Exchange. The members of the Exchange Help Desk role are able to modify fields like Phone # and Address within ECP without having to go into Active Directory Users and Computers, but can't touch things like title Title and Department fields. If I take the user out of the Help Desk role and add him to the Recipient Management role, the fields become editable. I would think there has to be some sort of sub-role I can assign to the Help Desk role to accomplish this. For example: by default in Exchange 2010 RTM, members of Recipient Management couldn't add or remove users from Exchange distribution lists. We had to run a powershell command in order to add the Security Group Creation and Membership role to the Recipient Management role as a workaround. They were then able to add/remove users. I'm assuming membership information for Exchange distribution lists is stored in AD as well the fields I'm trying to give the Help Desk edit rights to. Is there something similar that can be done in powershell to open up the informational fields I need them to edit?
August 27th, 2010 8:31pm
Hi Craige, You should create custom Role, Role Group to implement your request. By default, the Help Desk Role Group has two Role assigned: User Options and View-Only recipients Role. It is cmdlet Set-User which is an Role Entry of User Opions to let you to edit the information, eg: city, fax. You can run the cmdlet to check which parameters you can run against the "User Options", (Get-ManagementRoleEntry "User options\set-user").Parameters From the output, you can also find the parameters(Title,Company, Department) is not included. So you cannot edit these information. So you can run the cmdlet again to check which Role can run the Set-User with parameters(Title,Company, Department) : Get-ManagementEntry "*\*" -Parameters title It is Mail Recipients Management Role. Thus, you should create a custom Role based on "Mail Recipients", then assign the Role to the Help Desk Role Group. I would suggest you create a new Role Group, and keep the default "Help Desk" Role Group. And since there are many other Role entries included in the "Mail Recipients", you can also delete any other entries you don't want you admin to run it. For more information: Understanding Role Based Access Control http://technet.microsoft.com/en-us/library/dd298183.aspx Frank Wang
August 30th, 2010 11:56am
Thanks - I was able to create a new role group, base it on the Mail Recipients role assignment, then remove all parameters, except for Get-User. I then added Set-User back with only the specific fields my help desk folks need to be able to edit. I found that what was also required was the built-in View-Only Recipient Management assigned role in addition to the custom role I created so they can access all of this via the ECP. Thanks for your help. Craige
August 30th, 2010 11:24pm
I am a recent graduate from a leading university in Australia. Its hard to find a job in Australia relevant to Sfotware development at the junior level.........................................................Bactium ...........................................................................................................................................[url=http://healthproductadvice.com/bactium-review-does-it-eliminate-the-bacteria-from-your-colon/]Bactium[/url]
August 31st, 2010 10:26am