Hi guys,
Has anyone else done this?
Having set up PCNS at our site I now want to remove the option to change a password in the OWA interface for all of my users, so that they can't create 'unsynced' passwords for their live@edu mailboxes.
I assume that this is done in Powershell, but don't know where to start
Thanks in advance!
Ben
I'm not confirming that it works, but you can turn off password reset on the service manglement portal (eduadmin.live.com).
Mr.Ben (10th February 2012)
That's taken away the users ability to request a password reset - so part of the problem is solved Thanks @PiqueABoo
They can still change their passwords when they have logged in though.
Did you get any further with this?
Not as yet! - To be honest though, i haven't looked at it in a few days.Originally Posted by ihaveaproblem
I'll bump this up to the Live@edu team to see if it can be done.
I have done this, I can't remember the method, I setup Live@EDU at a previous school a while ago. If you google the question you should get a result.
It's probably possible using RBAC. I've been reading about this (yesterday in fact) for Office 365. Would need to check if it also works for Outlook Live.
Hi James,
I thought it may be down to the Access Controls - Can you send me the info that you were looking at for Office 365?
The following is a work in progress, use at your own risk!
I'm going to write this up, but here's the working version, borrowing largely from the inspiration post:
- Open up a remote PowerShell session to your Outlook Live tenant.
- Export MyBaseOptions_DefaultMailboxPlan management role entries for reference:
Get-ManagementRoleEntry MyBaseOptions_DefaultMailboxPlan\* | ConvertTo-Html > C:\MyBaseOptions_DefaultMailboxPlan.htm
- Copy the existing MyBaseOptions_DefaultMailboxPlan management role as a new role:
New-ManagementRole –Parent MyBaseOptions_DefaultMailboxPlan –Name MyCustomOptions_DefaultMailboxPlan
- Remove all Set-Mailbox parameters from the new role:
Remove-ManagementRoleEntry MyMailbox\Set-Mailbox
- Add Set-Mailbox parameters back to new role, except the password reference:
Add-ManagementRoleEntry MyMailbox\Set-Mailbox –Parameters AcceptMessagesOnlyFrom, AcceptMessagesOnlyFromDLMembers, AcceptMessagesOnlyFromSendersOrMembers, DeliverToMailboxAndForward, ErrorAction, ErrorVariable, ExternalOofOptions, ForwardingAddress, ForwardingSmtpAddress, GrantSendOnBehalfTo, Identity, Languages, MailTip, MailTipTranslations, OutBuffer, OutVariable, RejectMessagesFrom, RejectMessagesFromDLMembers, RejectMessagesFromSendersOrMembers, RequireSenderAuthenticationEnabled, UserCertificate, UserSMimeCertificate, WarningAction, WarningVariable
- Now, in ECP, under Roles & Auditing open up the User Role for the DefaultMailboxPlan, scroll down and you'll see something (hopefully) like:
rolesgrab.PNG
- Uncheck the MyBaseOptions_DefaultMailboxPlan role, and select the MyCustomOptions one.
Give it some time to sink in, and in theory you should've lost the link to reset passwords via OWA:
passwordgrab.PNG
Hi @jamesbmarshall
Fingers crossed that solved the issue!
It's not obvious for those of us that don't work with exchange too often that 'MyMailbox\Set-Mailbox' needs to refer to 'MyCustomOptions_DefaultMailboxPlan\Set-Mailbox' in your example.
Thanks again
Ben
Oops! You're right. I would go back and edit, but I can't.
I would try this, but a bit confused after your last two posts ^^
I strongly suspect exposure to powershell accelerates brain cell death rate (proportionally to number of cmdlet syllables, total line lengths etc.), or at least it routinely does my head in. I'm pretty sure this will do the same trick *and* help save your IQ:
New-ManagementRole –Parent MyBaseOptions_DefaultMailboxPlan –Name MyCustomOptions_DefaultMailboxPlan
Set-ManagementRoleEntry MyCustomOptions_DefaultMailboxPlan\Set-Mailbox –Parameters Password -RemoveParameter
Then go click in ECP Roles & Auditing as Jame's post above. If you want to undo those changes for any reason, go run this:
Remove-ManagementRole MyCustomOptions_DefaultMailboxPlan
It's just a small change - again use at your own risk!
•Open up a remote PowerShell session to your Outlook Live tenant.
•Export MyBaseOptions_DefaultMailboxPlan management role entries for reference:
Get-ManagementRoleEntry MyBaseOptions_DefaultMailboxPlan\* | ConvertTo-Html > C:\MyBaseOptions_DefaultMailboxPlan.htm
•Copy the existing MyBaseOptions_DefaultMailboxPlan management role as a new role:
New-ManagementRole –Parent MyBaseOptions_DefaultMailboxPlan –Name MyCustomOptions_DefaultMailboxPlan
•Remove all Set-Mailbox parameters from the new role:
Remove-ManagementRoleEntry MyCustomOptions_DefaultMailboxPlan\Set-Mailbox
•Add Set-Mailbox parameters back to new role, except the password reference:
Add-ManagementRoleEntry MyCustomOptions_DefaultMailboxPlan\Set-Mailbox –Parameters AcceptMessagesOnlyFrom, AcceptMessagesOnlyFromDLMembers, AcceptMessagesOnlyFromSendersOrMembers, DeliverToMailboxAndForward, ErrorAction, ErrorVariable, ExternalOofOptions, ForwardingAddress, ForwardingSmtpAddress, GrantSendOnBehalfTo, Identity, Languages, MailTip, MailTipTranslations, OutBuffer, OutVariable, RejectMessagesFrom, RejectMessagesFromDLMembers, RejectMessagesFromSendersOrMembers, RequireSenderAuthenticationEnabled, UserCertificate, UserSMimeCertificate, WarningAction, WarningVariable
Then follow the guidelines that James wrote to assign this role to all of your mailboxes in the ECP
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
