Mastering Exchange Server 2010’s Exchange Control Panel

One of the new feature areas in Microsoft Exchange Server 2010 is the Exchange Control Panel. The ECP is a web-based configuration interface for Exchange that has the ability to be many things to different groups of people. For end users, when you click Options in Outlook Web App (OWA), the UI for managing account settings is part of the ECP. For delegated administrators (e.g., branch office administrators, service desk technicians), the ECP is a friendly interface for managing the properties of accounts and groups. For the Exchange administrator, the ECP provides an alternative interface to some settings and the only graphical interface for others. Finally, for administrators of hosted organizations (e.g., Microsoft Office 365 tenants), the ECP is the primary option for managing Exchange features specific to the organization.

End-User Functionality

Most of the functionality offered by the ECP to end users when they click Options in OWA is nothing new to OWA or Exchange. The usual functions, which are also available in Outlook—such as configuring calendar options, an email signature, or an Out of Office message—are all present. In addition to these options, there are several new functions that are available to end users only through the ECP. These functions include the ability to manage the data in your Global Address List (GAL) entry, as well as the ability to manage distribution and security groups for which the user is an owner. Other useful functions specific to the ECP include access to delivery reports (message tracking to Exchange administrators), the ability to manage mobile devices and text messaging (SMS), and access to information such as IMAP and POP server settings.

Self-service management of address book data for end users has been a requirement of small and large organizations for more than a decade. Until Exchange 2010, numerous third parties provided products directed at this capability. The only other option was a typically shaky home-grown solution. Exchange 2010’s solution isn’t likely to be as flexible as most third-party solutions, but it fills the needs of the vast majority of the market.

Figure 1 shows the self-service GAL editor on the front page of the end-user Options screen in the ECP. The fields available in the editor are fixed, but they cover the important bases, such as name, phone numbers, address, and so on. As you can see in Figure 1, I can edit my phone numbers; however, my name is read-only, as evidenced by the gray text boxes. As an administrator, you can use Role Based Access Control (RBAC) to configure whether users can edit specific fields on an individual basis. Because of the flexibility of RBAC, you don’t need to apply the same policy to all users; for example, you might want to limit employees to editing only their mobile phone numbers but allow contractors to edit their work phone numbers and their mobile phone numbers.
 

Figure 1: Self-service GAL entry management

Another market that’s been ripe for add-on products since the early days of Exchange is self-service management of distribution lists (DLs). Outlook has always offered users the capability to add and remove members from a DL if they have appropriate access; however, this ability often doesn’t provide nearly enough functionality. Many organizations need the capability to delegate the creation and deletion of DLs, as well as provide the ability for end users to join and leave groups without administrator assistance.

Exchange 2010 introduced all this functionality natively, accessible through the ECP. Users can create and delete DLs, as well as manage all the properties of the lists they own. In addition to managing lists, end users can join and leave distribution groups that are listed in the GAL. Much like the self-service GAL management functionality, all the functionality revolving around the management of groups is controlled through RBAC. Administrators can easily allow users to manage groups they own but not allow them to create new groups, for example. Figure 2 shows some of the properties available for management by group owners. Exchange 2010 SP1 adds the ability for users to manage security groups as well as DLs, making the group management functionality in the ECP significantly more compelling for many organizations.

Figure 2: Managing group settings in the ECP

Another notable end-user feature in the ECP is what Microsoft calls delivery reports. Exchange 2010 provides a summarized end-user friendly interface into traditional message tracking logs, which lets users review the status of messages they’ve sent. To speed up access to the logs, Exchange now stores indexes of them alongside the logs, which allows for quick lookups. Delivery report information is available through several entry points.

Outlook 2010 users can select Delivery Reports on the Outlook 2010 Backstage area and Outlook will launch a web browser and browse directly to the ECP. OWA users can view delivery report information in two places. To check the status of a specific sent message, users can right-click a message in their Sent Items folder and select Delivery Report. A search interface is also available in the Options area under Organize E-Mail, as Figure 3 shows. Users with administrative privileges will receive additional detailed information when accessing delivery reports.

Figure 3: End-user delivery reports search
 

Delegated Administration Features

The ECP includes several useful features that can be delegated to junior administrators or technicians so they can complete requests without involving an administrator. Common examples include modifying user or group properties; modifying mailbox settings, such as Inbox rules or Out of Office messages; and performing message tracking at the organization level.

Technicians who’ve been delegated sufficient access can manage numerous user mailbox properties beyond those delegated to an end user. A common example is the ability to add and remove additional email addresses (proxies) from a mailbox. Although only existing mailboxes can be managed, groups and contacts can be created and deleted through the ECP.

Service desk analysts often receive calls from end users requesting assistance in modifying mailbox settings or performing simple tasks such as setting an Out of Office message. With sufficient access, analysts can open the same Options screen that an end user would see and modify settings on the user’s behalf. Exchange limits the analyst to modifying the settings that the end user would normally have access to so that organization-level permissions aren’t bypassed. This functionality can be delegated without granting access to the actual contents of user mailboxes.

With the Exchange 2010 Enterprise CAL, you can use multi-mailbox search functionality to perform e-discovery across the organization or a group of mailboxes. Prior to Exchange 2010, this task often required expensive third-party tools or large amounts of Exchange administrator time. With Exchange 2010, multi-mailbox searches can be delegated to a legal department user who can perform searches (and place litigation holds on mailboxes) without the intervention of an Exchange administrator. (For more information about Exchange 2010’s multi-mailbox search functionality, see “Multi-Mailbox Search in Exchange Server 2010.” )

Finally, the Delivery Reports interface in Figure 3 has an additional field to filter on the message sender when accessed by users with elevated permissions. This gives delegated administrators or service desk analysts the ability to track a message when they receive an end-user request for assistance in determining the fate of a message. Previously, this common request required escalation to an Exchange administrator.

Administrator Functionality

Finally, the ECP includes important functionality for Exchange administrators. Unfortunately, the ECP introduced some confusion in terms of where certain tasks need to be performed. The vast majority of configuration tasks are possible only through the Exchange Management Console (EMC); however, several tasks are possible either through both the EMC and ECP or possible only through the ECP.

Tasks that are possible only through the ECP include management of RBAC settings, management of group naming conventions, management of Microsoft ActiveSync device quarantine, and execution of various auditing reports. Some additional tasks are also possible through the EMC, such as configuration of transport and journal rules and ActiveSync policies and message tracking. Of course, the mailbox and group management tasks that I discussed earlier are also possible through the EMC.

Exchange 2010 SP1 greatly improved the RBAC management functionality in the ECP and substantially reduced the need to perform RBAC tasks through the Exchange Management Shell (EMS). The most common tasks, such as managing the membership of a role group or creating a new role group, are now possible graphically. Roles can be added to role groups, and you can tweak the scope (e.g., organizational unit—OU) and membership of a role group, as Figure 4 shows.

Figure 4: Managing the Help desk RBAC role group

Group naming conventions is another new feature in Exchange 2010 SP1. This feature is accessible only through the ECP. You can use the group naming conventions feature to enforce policies on groups that users are allowed to create through the ECP. You can apply policies such as including a prefix for all group names or requiring that the user’s department be included in the name of the group (e.g., you might want all your groups to start with DL- and to include the department of the user creating the group, such as DL-IT- for a group created by a user in the IT department). You can also define blocked words that can’t be included in a group’s name.

Exchange 2010 includes a feature known as ActiveSync Device Access Rules, which lets administrators manage the types of mobile devices that are allowed to connect to Exchange. Configuration for this functionality is accessible in the ECP by selecting the Manage My Organization view, then selecting Phone & Voice, ActiveSync Access. You can use this feature to limit access based on a device’s make and model. Based on this information, you can allow, block, or quarantine devices that connect for the first time. Devices that are quarantined require administrator approval to synchronize. Unfortunately, the granularity of the make and model information isn’t standardized and varies based on the implementation of ActiveSync. Each vendor that implements the ActiveSync protocol can choose what information to provide in the make and model fields, as well as how to format the information. Figure 5 shows a device access rule that requires quarantine for iPhones connected for the first time.
 

Figure 5: Configuring a device access rule

Exchange 2010 SP1 improves auditing, making it much easier to report on the data collected by the auditing processes. Several reports are included and can be accessed through the ECP (e.g., reviewing administrator audit logs and mailbox access reports). The reports that can be exported in text or XML formats aren’t particularly granular and might contain too much data. Therefore, the various PowerShell cmdlets (e.g., Search-AdminAuditLog) associated with these reports might be a much better solution.

Beyond the EMC

Exchange Server 2010’s ECP is a new web interface that provides a great deal of flexibility for end users, technicians, delegated administrators, and Exchange administrators. You can use the ECP to manage numerous Exchange features, including most mailbox options. Some Exchange features that aren’t exposed in the EMC have a web-based UI in the ECP, which limits the number of tasks that are accessible only through PowerShell.