Exchange 2010 Adressbuchpflege im ECP

Ziel: Nicht-Administratoren sollen die Pflege von Telefonnummern, Adressdaten, Position, Abteilung usw. selbst durchführen können. Die Personen sollen jedoch nicht zu viele Rechte erhalten. Problem:
Rolle: User Options darf Abteilung und Firma nicht ändern
Rolle: Mail Recipients darf Active Sync und Litigation Hold aus- und einschalten

Exchange Adressbuchpflege

### neue Management Role anlegen - Diese hat als Parent Mail Recipients - also zu viele Rechte ! ###
New-ManagementRole -Name "Adressbuchpflege" -Parent "Mail Recipients"
 
### Abgleich zwischen Mail Recipients und User Options - nicht benötigte Sachen werden entfernt ###
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-MailContact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-ServiceEmailChannel"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-MailContact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-MailUser"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-ServiceEmailChannel"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ADServerSettings"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-AcceptedDomain"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ActiveSyncMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-Contact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-LogonStatistics"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailContact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailUser"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxAutoReplyConfiguration"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxDatabase"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxFolderPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-OfflineAddressBook"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-OrganizationalUnit"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-OwaMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-PhysicalAvailabilityReport"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ResourceConfig"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-RoleAssignmentPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ServiceAvailabilityReport"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ServiceStatus"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-Trust"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-UserPrincipalNamesSuffix"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "New-OwaMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Remove-MailboxFolderPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Remove-MailboxPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Remove-OwaMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-LinkedUser"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Update-Recipient"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Add-MailboxFolderPermission"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-MailboxFolderStatistics"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Test-MAPIConnectivity"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-RemoteMailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-SecurityPrincipal"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "New-PublicFolderDatabaseRepairrequest"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-MailboxCalendarFolder"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "New-MailboxRepairRequest"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-Contact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-ManagementRoleAssignment"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-RemoteMailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-RemoteMailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-AddressBookPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Enable-Mailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-OwaMailboxPolicy"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Update-HybridConfiguration"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-RemoteMailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-MailUser"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Get-HybridConfiguration"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Disable-Mailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Set-MailContact"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Connect-Mailbox"}| Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "Add-MailboxPermission"}| Remove-ManagementRoleEntry -confirm:$false
 
### Litigation Hold-Reiter entfernen ###
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "set-mailbox"}|Remove-ManagementRoleEntry
 
Add-ManagementRoleEntry "Adressbuchpflege\set-mailbox" -Parameters AcceptMessagesOnlyFrom ,AcceptMessagesOnlyFromDLMembers,AcceptMessagesOnlyFromSendersOrMembers ,AddressBookPolicy ,Alias ,AntispamBypassEnabled ,ApplyMandatoryProperties ,Arbitration ,ArbitrationMailbox,ArchiveDomain ,ArchiveName ,ArchiveQuota ,ArchiveStatus ,ArchiveWarningQuota ,BypassModerationFromSendersOrMembers ,CalendarRepairDisabled,CalendarVersionStoreDisabled ,Confirm ,CustomAttribute1 ,CustomAttribute10 ,CustomAttribute11 ,CustomAttribute12 ,CustomAttribute13,CustomAttribute14 ,CustomAttribute15 ,CustomAttribute2 ,CustomAttribute3 ,CustomAttribute4 ,CustomAttribute5 ,CustomAttribute6 ,CustomAttribute7,CustomAttribute8 ,CustomAttribute9 ,Debug ,DeliverToMailboxAndForward ,DisplayName ,DomainController ,DowngradeHighPriorityMessagesEnabled,EmailAddresses ,EmailAddressPolicyEnabled ,EndDateForRetentionHold ,ErrorAction ,ErrorVariable ,ExtensionCustomAttribute1 ,ExtensionCustomAttribute2 ,ExtensionCustomAttribute3 ,ExtensionCustomAttribute4 ,ExtensionCustomAttribute5 ,ExternalOofOptions ,Force ,ForwardingAddress,ForwardingSmtpAddress ,GrantSendOnBehalfTo ,HiddenFromAddressListsEnabled ,Identity ,IgnoreDefaultScope ,ImmutableId ,IssueWarningQuota ,Languages,LinkedCredential ,LinkedDomainController ,LinkedMasterAccount ,MailTip,MailTipTranslations ,ManagedFolderMailboxPolicy ,ManagedFolderMailboxPolicyAllowed ,MaxBlockedSenders ,MaxReceiveSize ,MaxSafeSenders ,MaxSendSize,MessageTrackingReadStatusEnabled ,ModeratedBy ,ModerationEnabled ,Name ,Office ,OfflineAddressBook ,OutBuffer ,OutVariable ,Pop3AggregationEnabled,PrimarySmtpAddress ,ProhibitSendQuota ,ProhibitSendReceiveQuota ,RecipientLimits ,RecoverableItemsQuota ,RecoverableItemsWarningQuota,RejectMessagesFrom ,RejectMessagesFromDLMembers ,RejectMessagesFromSendersOrMembers ,RemoteRecipientType ,RemoveManagedFolderAndPolicy,RemovePicture ,RemoveSpokenName ,RequireSenderAuthenticationEnabled ,ResourceCapacity ,ResourceCustom ,RetainDeletedItemsFor,RetainDeletedItemsUntilBackup ,RetentionComment ,RetentionHoldEnabled ,RetentionPolicy ,RetentionUrl ,RoleAssignmentPolicy ,RssAggregationEnabled,RulesQuota ,SamAccountName ,SCLDeleteEnabled ,SCLDeleteThreshold ,SCLJunkEnabled ,SCLJunkThreshold ,SCLQuarantineEnabled ,SCLQuarantineThreshold,SCLRejectEnabled ,SCLRejectThreshold ,SecondaryAddress ,SendModerationNotifications ,SharingPolicy ,SimpleDisplayName ,SingleItemRecoveryEnabled,StartDateForRetentionHold ,ThrottlingPolicy ,Type ,UseDatabaseQuotaDefaults ,UseDatabaseRetentionDefaults ,UserCertificate ,UserPrincipalName,UserSMimeCertificate ,Verbose ,WarningAction ,WarningVariable ,WhatIf ,WindowsEmailAddress
--> entfernt: LitigationHoldDate ,LitigationHoldEnabled ,LitigationHoldOwner
 
### Active Sync-Reiter entfernen ###
Get-ManagementRoleEntry "Adressbuchpflege\*" | ?{$_.name -like "set-casmailbox"}|Remove-ManagementRoleEntry
 
Add-ManagementRoleEntry "Adressbuchpflege\set-casmailbox" -Parameters Confirm ,Debug ,DisplayName ,DomainController ,ECPEnabled ,EmailAddresses ,ErrorAction ,ErrorVariable ,EwsAllowEntourage ,EwsAllowList,EwsAllowMacOutlook ,EwsAllowOutlook ,EwsApplicationAccessPolicy ,EwsBlockList ,EwsEnabled ,HasActiveSyncDevicePartnership ,Identity,IgnoreDefaultScope ,ImapEnabled ,ImapEnableExactRFC822Size ,ImapMessagesRetrievalMimeFormat ,ImapSuppressReadReceipt ,ImapUseProtocolDefaults,MAPIBlockOutlookNonCachedMode ,MAPIBlockOutlookRpcHttp ,MAPIBlockOutlookVersions ,MAPIEnabled ,Name ,OutBuffer ,OutVariable ,OWAEnabled,OwaMailboxPolicy ,PopEnabled ,PopEnableExactRFC822Size ,PopMessagesRetrievalMimeFormat ,PopSuppressReadReceipt ,PopUseProtocolDefaults,PrimarySmtpAddress ,SamAccountName ,ShowGalAsDefaultView ,Verbose ,WarningAction ,WarningVariable
--> entfernt: ActiveSyncDebugLogging -ActiveSyncEnabled -ActiveSyncMailboxPolicy