none
I need to delegate adding contacts to clerical staff RRS feed

  • Question

  • Exchange 2013 running on 2012 R2, Windows 8.1 desktops.

    We have a Powershell script the domain admins use to add Exchange contacts. It simply asks for the name of the contact, formats the name, adds the user as a contact, and then adds the contact email address to a MessageLabs import file.

    I want to hand this off to the same clerical person that sends the email saying, "add Joe Smith - jsmith@yahoo.com".

    What permissions (or anything else) does this user need? The script is below. (And even though I have been dabbling in Powershell for years, I feel I still am a Powershell newbie, so any constructive criticism of the script is welcome, knowing I err on the side of self-documentation over concise - formerly writing in COBOL is a factor here.)  :^)

    Rob

    # add exchange snap-in
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
    $today         = (get-date).Date
    # create messagelabs import file when run on new day
    $msglabs       = "C:\Users\administrator.MIAT\Desktop\messagelabs.csv"
    $lastWriteTime = ((Get-Item $msglabs).LastWriteTime).date
    if ($lastWriteTime -ne $today) {New-Item $msglabs -type file -force}
    Write-Output "To keep going hit enter, else any key + enter to quit."
    $keep_going    = ""
    do
    {
    # get student info interactively
    $contact_fname = Read-Host "First name"
    $contact_fname = $contact_fname.Trim();
    $contact_lname = Read-Host "Last  name"
    $contact_lname = $contact_lname.Trim();
    $contact_forwd = Read-Host "Forward to"
    $contact_forwd = $contact_forwd.Trim();
    # set up mail alias
    $contact_fname = $contact_fname.Substring(0,1).ToUpper()+$contact_fname.Substring(1).ToLower()
    $contact_lname = $contact_lname.Substring(0,1).ToUpper()+$contact_lname.Substring(1).ToLower()   
    $contact_finit = $contact_fname.Substring(0,1)
    $contact_cname = $contact_fname + " " + $contact_lname
    $contact_alias = $contact_finit + $contact_lname
    # create mail contact and messagelabs address record
    New-MailContact -ExternalEmailAddress $contact_forwd -Name $contact_cname -Alias $contact_alias -FirstName $contact_fname -Initials '' -LastName $contact_lname
    Set-MailContact $contact_forwd -HiddenFromAddressListsEnabled $True
    Write-Output (Get-Mailcontact -Filter {DisplayName -eq $contact_cname}).emailaddresses | Select-String "domain.ext"
    Add-Content $msglabs ($contact_alias + "@domain.ext")
    $keep_going    = Read-Host “Keep going?"
    }
    while ($keep_going -eq "")
    #
    $upload_contacts = read-host "Upload new accounts to filtering service daily. Login to messagelabs, services, platform, upload, browse for messagelabs.csv...hit enter when ready"
    # go to the messagelabs web site for uploading the new student email contacts
    start "https://clients.messagelabs.com"

    • Moved by Amy.WangModerator Thursday, October 30, 2014 7:18 AM This is an issue related to Exchange development
    Monday, October 27, 2014 6:43 PM

All replies

  • Hi Rob,

    the only Thing I can see is the

    New-MailContact -ExternalEmailAddress $contact_forwd -Name $contact_cname -Alias $contact_alias -FirstName $contact_fname -Initials '' -LastName $contact_lname
    Set-MailContact $contact_forwd -HiddenFromAddressListsEnabled $True

    If you add the -organizationalunit Parameter, you can just delegate the create object to that particular OU in AD (to a group). If so, you do not need additional permissions from Exchange.

    As you can see from the new-mailcontact page , you can alternatively add the permissions as shown in http://technet.microsoft.com/en-us/library/dd638132(v=exchg.150).aspx  (recipient Management role, by default). That approach may also result in additional permissions.

    Regards,
    Martin

    Monday, October 27, 2014 8:14 PM
  • Hi Rob,

    Have you checked the suggestion Martin provided?

    Is there any update with your issue?

    Best regards,

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Amy Wang
    TechNet Community Support

    Thursday, October 30, 2014 3:00 AM
    Moderator
  • Martin,

    Thank you for your reply - I needed three things to get it to work.

    First of all, thank you for your -OrganizationalUnit parameter suggestion. That allowed me to direct the contact to the OU I desired.

    I also stumbled across Don Jones' excellent post on implicit vs. explicit remoting:

    http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/23/learn-how-to-use-powershell-to-run-exchange-server-commands-remotely.aspx

    Using implicit remoting, I was able to get the script to work from a client workstation, without loading any exchange tools on the client, but logged in as an administrator.

    And, giving the user Organization Mangement privileges from the Exchange admin center allowed the script to run on the client logged in as the user.

    I am very excited about being able to delegate this to the staff.

    One question: when I add a user on the exchange server, it returns one line of output; when I do it on the client, I get two full scrolled pages of data. Why the expanded output?

    Rob

    Here is the new script:

    # create implicit remote powershell session on exchange server
    $cred = Get-Credential domain\administrator
    $session = New-PSSession -ConfigurationName microsoft.exchange -connectionuri http://canexch1/powershell -Credential $cred
    Import-PSSession $session
    # create messagelabs import file when run on new day
    $today         = (get-date).Date
    $msglabs       = "M:\department\admissions\messagelabs.csv"
    $lastWriteTime = ((Get-Item $msglabs).LastWriteTime).date
    if ($lastWriteTime -ne $today) {New-Item $msglabs -type file -force}
    Write-Output "To keep going hit enter, else any key + enter to quit."
    $keep_going    = ""
    do
    {
    # get student info interactively
    $contact_fname = Read-Host "First name"
    $contact_fname = $contact_fname.Trim()
    $contact_lname = Read-Host "Last  name"
    $contact_lname = $contact_lname.Trim()
    $contact_forwd = Read-Host "Forward to"
    $contact_forwd = $contact_forwd.Trim()
    # set up mail alias
    $contact_fname = $contact_fname.Substring(0,1).ToUpper()+$contact_fname.Substring(1).ToLower()
    $contact_lname = $contact_lname.Substring(0,1).ToUpper()+$contact_lname.Substring(1).ToLower()    
    $contact_finit = $contact_fname.Substring(0,1)
    $contact_cname = $contact_fname + " " + $contact_lname
    $contact_alias = $contact_finit + $contact_lname
    # create mail contact and messagelabs address record
    New-MailContact -ExternalEmailAddress $contact_forwd -Name $contact_cname -Alias $contact_alias -FirstName $contact_fname -LastName $contact_lname -organizationalunit 'domain.local/Student Users and Computers/Forwards'
    Set-MailContact $contact_forwd -HiddenFromAddressListsEnabled $True
    Write-Output (Get-Mailcontact -Filter {DisplayName -eq $contact_cname}).emailaddresses | Select-String "domain.edu"
    Add-Content $msglabs ($contact_alias + "@domain.edu")
    $keep_going    = Read-Host “Keep going?"
    }
    while ($keep_going -eq "")
    #
    $upload_contacts = read-host "Upload new accounts to filtering service daily. Login to messagelabs, services, platform, upload, browse for messagelabs.csv...hit enter when ready"
    # go to the messagelabs web site for uploading the new student email contacts
    start "https://clients.messagelabs.com"

    Thursday, October 30, 2014 3:25 AM
  • one more question: what are the least privileges I can grant to a user for this function?
    Thursday, October 30, 2014 12:51 PM