A reader of this page asked whether it is possible for certain users to create and manage contacts for the organization. A separate RBAC (Role Based Access Control) role can be used for this with little effort. A corresponding role, which can only create and edit contacts in a specific organizational unit, can be created with little effort. Members of the role can then manage contacts via the Exchange Admin Center.
Damit das Erstellen und Verwalten von Kontakten delegiert werden kann, müssen zunächst zwei neue Management Rollen erstellt werden. Die neuen Management Rollen basieren dabei auf den schon vorhanden Rollen (in diesem Fall „Mail Recipients“ und „Mail Recipient Creation“:
New-ManagementRole -Parent "Mail Recipients" -Name Contacts
New-ManagementRole -Parent "Mail Recipient Creation" -Name ContactCreation
All commands that are not required for creating contacts are now removed from the newly created management roles; this is done with the following two commands:
Get-ManagementRoleEntry -Identity "Contacts\*" | where {$_.Name -notlike "*MailContact"} | Remove-ManagementRoleEntry -confirm:$false
Get-ManagementRoleEntry -Identity "ContactCreation\*" | where {$_.Name -notlike "*MailContact"} | Remove-ManagementRoleEntry -confirm:$false
Die beiden oberen Befehle haben aus den neuen Managemant Rollen alle Befehle entfernt, welche nicht „MailContact“ im Namen haben. Für das Erstellen und Verwalten von Kontakten werden allerdings noch weitere Befehle benötigt. Die weiteren nötigen Befehle müssen daher wieder hinzugefügt werden:
Add-ManagementRoleEntry -Identity "Contacts\Get-User"
Add-ManagementRoleEntry -Identity "Contacts\Get-Recipient"
Add-ManagementRoleEntry -Identity "Contacts\Set-Contact"
Add-ManagementRoleEntry -Identity "Contacts\Get-Contact"
Add-ManagementRoleEntry -Identity "ContactCreation\Get-OrganizationalUnit"
Add-ManagementRoleEntry -Identity "ContactCreation\Get-User"
Add-ManagementRoleEntry -Identity "ContactCreation\Get-Recipient"
The two management roles are now ready. A new organizational unit for the contacts can now be created in the Active Directory; the users will later only be given permission to create contacts within this organizational unit:
A new administrator role is now created in the Exchange Admin Center:
Die neue Administratorrolle bekommt nun den Namen „Contact Management“, der Schreibbereich wird erst nach dem Speichern der Rolle eingetragen (es kommt sonst zu einer Fehlermeldung). Des weiteren werden die zuvor angelegten Management Rollen hinzugefügt und die Mitglieder der Administrator Rolle festgelegt:
Once the administrator role has been saved, the write area can also be customized. The canonical name of the organizational unit can now be entered here:
Entering the organizational unit prevents contacts from being created in other organizational units:
Mitglieder der Administratorrolle „Contact Management“ können sich jetzt am Exchange Admin Center anmelden und haben nur noch die Berechtigung Kontakte anzulegen und zu bearbeiten:
Only a few details are required to create a new contact, and with a little training this should not be a problem. However, members of the role must always select the alias and the organizational unit. If the organizational unit is left blank or an OU outside the write area is selected, an error message is displayed:
If desired, a new address list containing the new contacts can be created:
