One of the things I like about Exchange distribution groups is that they can be manged by the list’s owner, taking a bit of work off the IT department, and allowing managers to maintain their department groups. However, the process is slightly different for Exchange 2010. In Exchange 2010, the permission to manage the lists is now in RBAC (Role Based Access Control).
By default, in Exchange 2010, users cannot manage distribution lists (a good thing). Enabling them to do so is a simple task. We use the MyDistributionGroups management role. This is one of the builtin RBAC roles in Exchange 2010. This role allows users to view, modify, add, and remove members to groups that they are assigned owner of; as well as creating new and removing existing distribution groups. All of those options sound pretty good, except for creating new and removing existing groups – good thing we can fix that!
First things first: we need to enable the distribution group management by assigning the users to the MyDistributionGroups management role.
Log into OWA as a user with admin privileges and choose options in the upper left hand corner.
Next, choose “My Organization” from the “What to Manage” drop down list.
Click on Users Roles Under the Roles & Auditing category, and select Details for the Default Role Assignment Policy.
Here, when you scroll down, you can check the box next to MyDistributionGroups to enable Distribution Group management by end users.
At this point, the Distribution Group’s owner can now add and remove names from the group. However, they can also create new groups, and delete existing groups. If you don’t want them to have that ability, we will create a Custom Role, and add it to the Default Role Assignment Policy.
First, in the Exchange Management Shell, we will create a new management role by copying the MyDistributionGroups role.
New-ManagementRole -Name CompanyDistributionGroups -Parent MyDistributionGroups
I called my new role “CompanyDistributionGroups”, but you can name it whatever you like.
Next, we will remove the commands from this role that allow users to create and delete groups.
Remove-ManagementRoleEntry CompanyDistributionGroups\New-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry CompanyDistributionGroups\Remove-DistributionGroup -Confirm:$false
Finally, since we have our new role defined, we can assign it to the DefaultRoleAssignment Policy using the following command:
New-ManagementRoleAssignment -Role CompanyDistributionGroups -Policy “Default Role Assignment Policy”
You are finished. Now, owners of the groups can manage the users within the group, but they cannot create new groups, and delete existing group.
Tim,
Is there a way to allow the manager of these distribution groups to edit the email addresses? I can see from this they can add and delete members but we need these administrative assistants to open the contacts and edit the smtp contact addresses.
Is that possible?
Unfortunatly, no. This will have to be done using the exchange console.
Hi Tim, the said things worked for me, thank you. But one more concern cropped up, the ownership change access, membership approval change access, delivery change management access, message approval change access, and mail tip access are also available to DL owners. How can i deny it? please help. – Guru.
Did this get answered for Guru? We have a similar setup but group owners can also modify the group name and other group properties. We just want them to modify the membership. I tried removing the Set-DistributionGroup from the role but once I did that, owners could no longer see the Public Group I Own using ECP. How can I limit the owner to just modifying the membership and nothing else? Thanks
I am not aware of any way to restrict the Distribution Group owner from only being able to edit the membership list. It most organizations I work with, they want the owner to be able to edit those additional properties if needed.
After we made this change I can’t asign anyone to manage the distribution groups. I added a user that I want to manage distros to Recipient RBAC and is still does not allow them to mange existing groups only if I add them as an owner to the group. Any way to have a DL Administrator
As far as I am aware, the users has to be the groups owner in order to manage the group.
Hi Tim,
Great post! It was very helpful. Anyway, I just wonder why do we need to create a new role while later on we will also assign this do the default role assignment policy? Is it possible to do the changes directly on the default policy to revoke the permission from the users to create and delete distro groups?
Thank You,
Arnel
Thanks for the feedback! Yes, you can modify the default role assignment policy, but depending on your organization you may have ill effects. Editing the default policy will prohibit everyone from creating and deleting distribution groups. In the case of the post, only those in the custom Role we created will be denied.
Tim
Thanks for this, it was a really elegant solution and using OWA to enable the management of distribution groups by assigning the users to the MyDistributionGroups role was a surprise to me, I didn’t know OWA had hidden admin goodies. Nice!