Exchange 2010 Adressbuchpflege im ECP
Ziel: Nicht-Administratoren sollen die Pflege von Telefonnummern, Adressdaten, Position, Abteilung usw. selbst durchführen können. Die Personen sollen jedoch nicht zu viele Rechte erhalten. Problem:Rolle: User Options darf Abteilung und Firma nicht ändern
Rolle: Mail Recipients darf Active Sync und Litigation Hold aus- und einschalten
Exchange Adressbuchpflege
### neue Management Role anlegen - Diese hat als Parent Mail Recipients - also zu viele Rechte ! ###
New-ManagementRole -Name "Adressbuchpflege" -Parent "Mail Recipients"
### Abgleich zwischen Mail Recipients und User Options - nicht benötigte Sachen werden entfernt ###
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-MailContact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-ServiceEmailChannel"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-MailContact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-MailUser"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-ServiceEmailChannel"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ADServerSettings"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-AcceptedDomain"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ActiveSyncMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-Contact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-LogonStatistics"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailContact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailUser"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxAutoReplyConfiguration"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxDatabase"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxFolderPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-OfflineAddressBook"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-OrganizationalUnit"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-OwaMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-PhysicalAvailabilityReport"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ResourceConfig"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-RoleAssignmentPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ServiceAvailabilityReport"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ServiceStatus"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-Trust"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-UserPrincipalNamesSuffix"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "New-OwaMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Remove-MailboxFolderPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Remove-MailboxPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Remove-OwaMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-LinkedUser"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Update-Recipient"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Add-MailboxFolderPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxFolderStatistics"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Test-MAPIConnectivity"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-RemoteMailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-SecurityPrincipal"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "New-PublicFolderDatabaseRepairrequest"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-MailboxCalendarFolder"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "New-MailboxRepairRequest"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-Contact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ManagementRoleAssignment"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-RemoteMailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-RemoteMailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-AddressBookPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-Mailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-OwaMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Update-HybridConfiguration"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-RemoteMailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-MailUser"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-HybridConfiguration"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-Mailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-MailContact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Connect-Mailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Add-MailboxPermission"}| Remove-ManagementRoleEntry -confirm:$false
### Litigation Hold-Reiter entfernen ###
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "set-mailbox"}|Remove-ManagementRoleEntry
Add-ManagementRoleEntry "Adressbuchpflege\set-mailbox" -Parameters AcceptMessagesOnlyFrom ,AcceptMessagesOnlyFromDLMembers,AcceptMessagesOnlyFromSendersOrMembers ,AddressBookPolicy ,Alias ,AntispamBypassEnabled ,ApplyMandatoryProperties ,Arbitration ,ArbitrationMailbox,ArchiveDomain ,ArchiveName ,ArchiveQuota ,ArchiveStatus ,ArchiveWarningQuota ,BypassModerationFromSendersOrMembers ,CalendarRepairDisabled,CalendarVersionStoreDisabled ,Confirm ,CustomAttribute1 ,CustomAttribute10 ,CustomAttribute11 ,CustomAttribute12 ,CustomAttribute13,CustomAttribute14 ,CustomAttribute15 ,CustomAttribute2 ,CustomAttribute3 ,CustomAttribute4 ,CustomAttribute5 ,CustomAttribute6 ,CustomAttribute7,CustomAttribute8 ,CustomAttribute9 ,Debug ,DeliverToMailboxAndForward ,DisplayName ,DomainController ,DowngradeHighPriorityMessagesEnabled,EmailAddresses ,EmailAddressPolicyEnabled ,EndDateForRetentionHold ,ErrorAction ,ErrorVariable ,ExtensionCustomAttribute1 ,ExtensionCustomAttribute2 ,ExtensionCustomAttribute3 ,ExtensionCustomAttribute4 ,ExtensionCustomAttribute5 ,ExternalOofOptions ,Force ,ForwardingAddress,ForwardingSmtpAddress ,GrantSendOnBehalfTo ,HiddenFromAddressListsEnabled ,Identity ,IgnoreDefaultScope ,ImmutableId ,IssueWarningQuota ,Languages,LinkedCredential ,LinkedDomainController ,LinkedMasterAccount ,MailTip,MailTipTranslations ,ManagedFolderMailboxPolicy ,ManagedFolderMailboxPolicyAllowed ,MaxBlockedSenders ,MaxReceiveSize ,MaxSafeSenders ,MaxSendSize,MessageTrackingReadStatusEnabled ,ModeratedBy ,ModerationEnabled ,Name ,Office ,OfflineAddressBook ,OutBuffer ,OutVariable ,Pop3AggregationEnabled,PrimarySmtpAddress ,ProhibitSendQuota ,ProhibitSendReceiveQuota ,RecipientLimits ,RecoverableItemsQuota ,RecoverableItemsWarningQuota,RejectMessagesFrom ,RejectMessagesFromDLMembers ,RejectMessagesFromSendersOrMembers ,RemoteRecipientType ,RemoveManagedFolderAndPolicy,RemovePicture ,RemoveSpokenName ,RequireSenderAuthenticationEnabled ,ResourceCapacity ,ResourceCustom ,RetainDeletedItemsFor,RetainDeletedItemsUntilBackup ,RetentionComment ,RetentionHoldEnabled ,RetentionPolicy ,RetentionUrl ,RoleAssignmentPolicy ,RssAggregationEnabled,RulesQuota ,SamAccountName ,SCLDeleteEnabled ,SCLDeleteThreshold ,SCLJunkEnabled ,SCLJunkThreshold ,SCLQuarantineEnabled ,SCLQuarantineThreshold,SCLRejectEnabled ,SCLRejectThreshold ,SecondaryAddress ,SendModerationNotifications ,SharingPolicy ,SimpleDisplayName ,SingleItemRecoveryEnabled,StartDateForRetentionHold ,ThrottlingPolicy ,Type ,UseDatabaseQuotaDefaults ,UseDatabaseRetentionDefaults ,UserCertificate ,UserPrincipalName,UserSMimeCertificate ,Verbose ,WarningAction ,WarningVariable ,WhatIf ,WindowsEmailAddress
--> entfernt: LitigationHoldDate ,LitigationHoldEnabled ,LitigationHoldOwner
### Active Sync-Reiter entfernen ###
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "set-casmailbox"}|Remove-ManagementRoleEntry
Add-ManagementRoleEntry "Adressbuchpflege\set-casmailbox" -Parameters Confirm ,Debug ,DisplayName ,DomainController ,ECPEnabled ,EmailAddresses ,ErrorAction ,ErrorVariable ,EwsAllowEntourage ,EwsAllowList,EwsAllowMacOutlook ,EwsAllowOutlook ,EwsApplicationAccessPolicy ,EwsBlockList ,EwsEnabled ,HasActiveSyncDevicePartnership ,Identity,IgnoreDefaultScope ,ImapEnabled ,ImapEnableExactRFC822Size ,ImapMessagesRetrievalMimeFormat ,ImapSuppressReadReceipt ,ImapUseProtocolDefaults,MAPIBlockOutlookNonCachedMode ,MAPIBlockOutlookRpcHttp ,MAPIBlockOutlookVersions ,MAPIEnabled ,Name ,OutBuffer ,OutVariable ,OWAEnabled,OwaMailboxPolicy ,PopEnabled ,PopEnableExactRFC822Size ,PopMessagesRetrievalMimeFormat ,PopSuppressReadReceipt ,PopUseProtocolDefaults,PrimarySmtpAddress ,SamAccountName ,ShowGalAsDefaultView ,Verbose ,WarningAction ,WarningVariable
--> entfernt: ActiveSyncDebugLogging -ActiveSyncEnabled -ActiveSyncMailboxPolicy