Exchange RBAC Role for Set-Userphoto

Andres Bohren

2020-07-24

Hallo zusammen,

Mit dem Exchange cmdlet Set-UserPhoto kann man hochauflösende Fotos (JPEG mit 648 x 648 Pixel und einer Farbtiefe von 24 Bit) speichern.

Konfigurieren der Verwendung von Fotos mit hoher Auflösung in Skype for Business Server

https://docs.microsoft.com/de-de/skypeforbusiness/deploy/integrate-with-exchange-server/high-resolution-photos?redirectedfrom=MSDN

Uploading High Resolution User Profile Pictures in Office 365

https://tahoeninjas.blog/2015/04/10/uploading-high-resolution-user-profile-pictures-in-office-365/

Set-UserPhoto -Identity "boa" -PictureData ([System.IO.File]::ReadAllBytes("C:\Scripts\Avatar.jpg"))

Exchange Role Based Access Control (RBAC) On-Prem

Oft sind verschiedene Teams für Identity, Exchange und den Bilderimport verantwortlich. Also gilt es, eine entsprechende Exchange RBAC Rolle zu erstellen, welche nur genau die Bilder anpassen darf.

Habe schon mal so eine ähnliche RBAC Rolle für Exchange 2010 erstellt.

Exchange 2010 RBAC ImportGALPicture

http://blog.icewolf.ch/archive/2012/12/04/exchange-2010-rbac-importgalpicture.aspx

Schauen wir also mal in welchen Rollen denn das cmdlet Set-UserPhoto vorhanden ist

Get-ManagementRole -Cmdlet set-userPhoto | ft Name,Roletype,IsEndUserRole

Es gibt nur zwei Rollen, welche nicht eine EnduserRolle sind und das cmdlet enthalten. Mal sehen wie viele cmdlets die Rollen sonst noch so enthalten.

Get-ManagementRole -RoleType MailRecipients | Get-ManagementRoleEntry | measure
Get-ManagementRole -RoleType UserOptions | Get-ManagementRoleEntry | measure

Die Rolle "UserOptions" hat weniger cmdlets, welche entfernt werden müssen. Deshalb fahren wir mit der weiter.

Ich kopiere mir die comandlets in die Zwischenablage (Clipboard) und lasse sie anzeigen

Get-ManagementRole -RoleType UserOptions | Get-ManagementRoleEntry | select name | clip

Get-ManagementRole -RoleType UserOptions | Get-ManagementRoleEntry

Nun erstelle ich eine neue Management Rolle. In Exchange basiert die eben immer auf einer bestehenden Rolle. Nicht benötige cmdlet's werden dann entfernt.

Ich habe es mir angewöhnt für solche angepassten Rollen einen Prefix zu benutzen, damit man sie bereits am Namen als solche erkennt. Ich habe "ICE-" als Abkürzung für Icewolf genommen. Denkbar wäre aber auch "Custom-" oder den Firmennamen.

New-ManagementRole -Parent "User Options" -Name ICE-UserPhoto

Nun kann man sich nochmals die cmdlets der Rolle anzeigen lassen.

Get-ManagementRoleEntry -Identity "ICE-UserPhoto\*"

Im Notepad ++ ersetze ich die Leerzeichen aus dem Clipboard mit einem Regex

\s+

\r\n

Nun können die cmdlets bis auf folgende entfern werden

Get-UserPhoto
Set-UserPhoto
Remove-UserPhoto
Import-RecipientDataProperty

Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-CASMailbox" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-Recipient" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-SweepRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxUserConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-OnlineMeetingConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxAutoReplyConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxPreferredLocation" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxMessageConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-SweepRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxCalendarFolder" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\New-SweepRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MobileDeviceStatistics" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-Mailbox" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-UnifiedAuditSetting" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxJunkEmailConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Start-AuditAssistant" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\New-InboxRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-SweepRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-MailboxUserConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxCalendarConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Enable-SweepRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-InboxRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-UnifiedAuditSetting" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-User" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Disable-SweepRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Clear-MobileDevice" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\New-App" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-ADServerSettings" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-Mailbox" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxStatistics" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-HybridConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\New-HybridConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailUser" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Stop-UMPhoneSession" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Enable-UMCallAnsweringRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-App" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Enable-App" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Disable-UMCallAnsweringRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-MobileDevice" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Disable-App" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-UMCallAnsweringRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Start-UMPhoneSession" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-App" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-User" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\New-UMCallAnsweringRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-UMMailboxConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-UMCallAnsweringRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-UMPhoneSession" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-UMMailboxConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-UMCallAnsweringRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxSentItemsConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxSentItemsConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Write-AdminAuditLog" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Disable-InboxRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Enable-InboxRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-InboxRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxRegionalConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxRegionalConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-ADServerSettings" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-UMMailboxPIN" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxSpellingConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-CalendarProcessing" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-ActiveSyncDevice" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\New-MailMessage" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-TextMessagingAccount" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MessageClassification" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MessageCategory" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxSpellingConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxMessageConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxJunkEmailConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxCalendarFolder" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxCalendarConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxAutoReplyConfiguration" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-InboxRule" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-DomainController" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-CalendarProcessing" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-CalendarNotification" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-ActiveSyncDeviceStatistics" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-ActiveSyncDevice" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Clear-ActiveSyncDevice" | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MobileDevice " | Remove-ManagementRoleEntry -Confirm:$false
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-CASMailbox" | Remove-ManagementRoleEntry -Confirm:$false

Noch einfacher geht es mit folgendem Befehl

Get-ManagementRole -Identity "ICE-UserPhoto" | Get-ManagementRoleEntry | Where-Object { $_.Name -ne "Get-UserPhoto" -and $_.Name -ne "Set-UserPhoto" -and $_.Name -ne "Remove-UserPhoto" -and $_.Name -ne "Import-RecipientDataProperty" } | Remove-ManagementRoleEntry -Confirm:$false

Schaut man sich nun die Rolle an sind nur noch die vier cmdlets enthalten

Get-ManagementRoleEntry -Identity "ICE-UserPhoto\*"

Nun kann die eine Zuweisung der Rolle im Exchange Admin Center gemacht werden.

Die Rollengruppe braucht einen Namen
Der Write-Scope kann festgelegt werden
Die eben erstelle Management Role muss ausgewählt werden
Benutzer oder Gruppe (Mail Enabled Universal Security Group) zuweisen

Exchange Role Based Access Control (RBAC) Exchange Online

Das kann man natürlich auch unter Exchange Online machen.

Get-ManagementRole -Cmdlet set-userPhoto | ft Name,Roletype,IsEndUserRole

New-ManagementRole -Parent "User Options" -Name ICE-UserPhoto
Get-ManagementRoleEntry -Identity "ICE-UserPhoto\*"

Allerdings kann man beim Entfernen die Rolle nicht durch ein Pipe entfernen.

Remove Multiple Management Role Entries In Office 365

https://blog.rmilne.ca/2015/02/05/remove-multiple-management-role-entries-in-office-365/

Get-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-CASMailbox" | Remove-ManagementRoleEntry -Confirm:$false

So geht es jedoch

Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-CASMailbox" -Confirm:$false

Also auch hier alle unnötigen cmdlet's entfernen.

Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-CASMailbox" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-Recipient" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-SweepRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxUserConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-OnlineMeetingConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxAutoReplyConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxPreferredLocation" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxMessageConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-SweepRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxCalendarFolder" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\New-SweepRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MobileDeviceStatistics" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-Mailbox" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-UnifiedAuditSetting" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxJunkEmailConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Start-AuditAssistant" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\New-InboxRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-SweepRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-MailboxUserConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxCalendarConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Enable-SweepRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-InboxRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-UnifiedAuditSetting" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-User" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Disable-SweepRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Clear-MobileDevice" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\New-App" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-Mailbox" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxStatistics" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailUser" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Stop-UMPhoneSession" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Enable-UMCallAnsweringRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-App" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Enable-App" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Disable-UMCallAnsweringRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-MobileDevice" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Disable-App" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-UMCallAnsweringRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Start-UMPhoneSession" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-App" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-User" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\New-UMCallAnsweringRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-UMMailboxConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-UMCallAnsweringRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-UMPhoneSession" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-UMMailboxConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-UMCallAnsweringRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Write-AdminAuditLog" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Disable-InboxRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Enable-InboxRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-InboxRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxRegionalConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxRegionalConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-UMMailboxPIN" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-MailboxSpellingConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-CalendarProcessing" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Remove-ActiveSyncDevice" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\New-MailMessage" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-TextMessagingAccount" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MessageClassification" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MessageCategory" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxSpellingConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxMessageConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxJunkEmailConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxCalendarFolder" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxCalendarConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MailboxAutoReplyConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-InboxRule" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-CalendarProcessing" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-CalendarNotification" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-ActiveSyncDeviceStatistics" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-ActiveSyncDevice" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Clear-ActiveSyncDevice" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-CASMailbox" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MobileDevice" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-Clutter" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-Clutter" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-MessageRecallResult" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-SenderPermission" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Reset-EventsFromEmailBlockStatus" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Get-EventsFromEmailConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Set-EventsFromEmailConfiguration" -Confirm:$false
Remove-ManagementRoleEntry -Identity "ICE-UserPhoto\Test-MailboxAssistant" -Confirm:$false

Wenn man sich danach die Rolle anschaut sind nur noch die vier cmdlets drin

Get-ManagementRoleEntry -Identity "ICE-UserPhoto\*"

Nun muss die Rollengruppe noch erstellt werden um die Rolle einem Benutzer oder Gruppe (Mail Enabled Universal Security Group) zuzuweisen

Grüsse

Andres Bohren