Delegating Distribution Group Management in Exchange 2010

I am sure that many of you have seen this issue during migrations from Exchange 2003 to Exchange 2007 or Exchange 2010. There have been a few posts and articles that discuss it, but I felt it is worth another point of view and discussion.

In Exchange 2003, it is pretty straightforward when it comes to delegating the ability to update the members of a distribution group. You simply click on the Managed By tab on the distribution group properties and add the user account and then enabled the checkbox for Manager can update membership list. Of course, it needs to be applied.

Years later, when you upgrade to Exchange 2010, and you migrate the distribution group, you notice that users are no longer able to manage their distribution groups.

BTW – there are a couple of ways to update/migrate the distribution group to Exchange 2010. One way is to use the EMS and enter the command Get-DistributionGroup | Set-DistributionGroup and another way is to open the object in the EMC and perform a minor edit such as deleting a character in one of the fields and then typing that same character back in again and then applying the change.

Anyway, users can no longer manage their distribution groups. You can check, and they will be listed in the Managed By section of the Group Information properties tab. Everything should work. Well, obviously, that isn’t true.

Exchange 2010 has these really interesting delegation objects call Role-Based Access Control (RBAC) groups that can provide really granular delegation of permissions in Exchange 2010. In order to provide the ability for users to actually manage distribution group membership lists, they must have the proper permissions in Exchange.

I would assume in most cases we don’t want users to be able to create new distribution groups and that we don’t want users to be able to delete distribution groups. That means we can’t just assign them the MyDistributionGroups role that already exists. It provides too much control of distribution groups.

So, this is the path that I would take in this case.

  1. Create a new role group based on the MyDistributionGroups role.
  2. Modify the new role group to take away the ability to create and delete distribution groups, but that will allow distribution group managers/owners (those in the Managed By list) to modify the distribution groups.
  3. Add the new management role to the default role assignment policy so that it is applied across the organization.

 

So, here is how it would work:

  1. Create a new role group based on the MyDistributionGroups role.

[PS] C:\>New-ManagementRole -name MyDistributionGroupsManagement -parent MyDistributionGroups -description “Assign to users that need to manage distribution groups without creating or deleting distribution groups”

Name                                    RoleType

—-                                    ——–

MyDistributionGroupsManagement          MyDistributionGroups

 

2a.  Modify the new role group to take away the ability to create DLs.

[PS] C:\>Remove-ManagementRoleEntry MyDistributionGroupsManagement\new-distributiongroup

Confirm

Are you sure you want to perform this action?

Removing the “(Microsoft.Exchange.Management.PowerShell.E2010)

New-DistributionGroup -Alias -CoManagedBy -Confirm -CopyOwnerToMember

-DisplayName -ErrorAction -ErrorVariable -ManagedBy -MemberJoinRestriction

-Members -ModeratedBy -ModerationEnabled -Name -Notes -OutBuffer -OutVariable

-PrimarySmtpAddress -SamAccountName -SendModerationNotifications -WarningAction

-WarningVariable -WhatIf” management role entry on the

“MyDistributionGroupsManagement” management role.

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is “Y”): y

 

2b.  Modify the new role group to take away the ability to delete DLs.

[PS] C:\>Remove-ManagementRoleEntry MyDistributionGroupsManagement\remove-distributiongroup

Confirm

Are you sure you want to perform this action?

Removing the “(Microsoft.Exchange.Management.PowerShell.E2010)

Remove-DistributionGroup -Confirm -ErrorAction -ErrorVariable -Identity

-OutBuffer -OutVariable -WarningAction -WarningVariable -WhatIf” management

role entry on the “MyDistributionGroupsManagement” management role.

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is “Y”): y

 

3.   Add the new management role to the default role assignment policy.

[PS] C:\>New-ManagementRoleAssignment -Role MyDistributionGroupsManagement -Policy “Default Role Assignment Policy”

Name                           Role      RoleAssig RoleAssig Assignmen Effectiv

                                         neeName   neeType   tMethod   eUserNam

                                                                       e

—-                           —-      ——— ——— ——— ——–

MyDistributionGroupsManagem… MyDist… Defaul… RoleAs… Direct

 

After running the PowerShell commands, users that are in the Managed By list will be able to properly manage distribution groups again.

Advertisements
This entry was posted in Exchange. Bookmark the permalink.

2 Responses to Delegating Distribution Group Management in Exchange 2010

  1. Coryn says:

    Spot on! Thanks very much!

  2. Paul says:

    Perfect! Simple and clear. Worked immediately. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s