Thoughts on Technology
Exchange 2010 Distribution Group Management
One of the things I like about Exchange distribution groups is that they can be manged by the list’s owner, taking a bit of work off the IT department, and allowing managers to maintain their department groups. However, the process is slightly different for Exchange 2010. In Exchange 2010, the permission to manage the lists is now in RBAC (Role Based Access Control).
By default, in Exchange 2010, users cannot manage distribution lists (a good thing). Enabling them to do so is a simple task. We use the MyDistributionGroups management role. This is one of the builtin RBAC roles in Exchange 2010. This role allows users to view, modify, add, and remove members to groups that they are assigned owner of; as well as creating new and removing existing distribution groups. All of those options sound pretty good, except for creating new and removing existing groups – good thing we can fix that!
First things first: we need to enable the distribution group management by assigning the users to the MyDistributionGroups management role.
Log into OWA as a user with admin privileges and choose options in the upper left hand corner.
Next, choose “My Organization” from the “What to Manage” drop down list.
Click on Users Roles Under the Roles & Auditing category, and select Details for the Default Role Assignment Policy.
Here, when you scroll down, you can check the box next to MyDistributionGroups to enable Distribution Group management by end users.
At this point, the Distribution Group’s owner can now add and remove names from the group. However, they can also create new groups, and delete existing groups. If you don’t want them to have that ability, we will create a Custom Role, and add it to the Default Role Assignment Policy.
First, in the Exchange Management Shell, we will create a new management role by copying the MyDistributionGroups role.
New-ManagementRole -Name CompanyDistributionGroups -Parent MyDistributionGroups
I called my new role “CompanyDistributionGroups”, but you can name it whatever you like.
Next, we will remove the commands from this role that allow users to create and delete groups.
Remove-ManagementRoleEntry CompanyDistributionGroups\New-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry CompanyDistributionGroups\Remove-DistributionGroup -Confirm:$false
Finally, since we have our new role defined, we can assign it to the DefaultRoleAssignment Policy using the following command:
New-ManagementRoleAssignment -Role CompanyDistributionGroups -Policy “Default Role Assignment Policy”
You are finished. Now, owners of the groups can manage the users within the group, but they cannot create new groups, and delete existing group.