Allowing End-Users to Manage Distribution Group Membership in Exchange 2010
Posted by Mike Pfeiffer in Exchange, Exchange 2010, IT Professional, Outlook, SysAdmin, email on 01-06-2010
Tags: email, Exchange, Exchange 2010, IT Professional, Outlook, SysAdmin
If you currently allow your end-users to manage distribution group membership in a previous version of Exchange, you may be interested to know that like many things, the process for enabling this is completely different in Exchange 2010. This is because distribution group membership management permissions are now delegated through Role Based Access Control (RBAC).
How Does it Work?
The MyDistributionGroups management role is one of the built-in RBAC roles in Exchange 2010. This role gives end-users the ability to modify, view, remove, and add members to distribution groups they already own. In addition, the MyDistributionGroups Role provides the ability to create new distribution groups.
An end-users ownership of a group is designated by adding their account to the “Managed By” property of a distribution group. It is also set when the user creates a distribution group in ECP, once they’ve been assigned the MyDistributionGroups role.
Allowing users to add and remove distribution groups may not be desirable depending on your requirements, but keep reading, we’ll look at how you can restrict this later.
Assigning the MyDistributionGroups Role using ECP
To enable distribution group management for end-users, you first need to assign them the MyDistributionGroups role. The MyDistributionGroups role is considered a user role, and therefore is assigned using a Role Assignment Policy. By default, the MyDistributionGroups role is not added to the Default Role Assignment Policy, but you can use ECP to do this using the following steps.
Step 1. Log into OWA with an administrator account and click on Options in the top right corner.
Step 2. In the Select what to manage drop down, select My Organization and then click on User Roles.
Step 3. Highlight the Default Role Assignment Policy and then click the Details button.
Step 4. Under Roles You Can Assign, check My Distribution Groups.
Assign the MyDistributionGroups Role using EMS
You can also assign the MyDistributionGroups Role to the Default Role Assignment Policy using EMS. Use the New-MangementRoleAssignment cmdlet to perform the operation as shown here:
New-ManagementRoleAssignment -Role MyDistributionGroups -Policy "Default Role Assignment Policy"
Once you’ve added the MyDistributionGroups role to the Default Role Assignment Policy, your users will be able to manage their own distribution groups.
Creating and Assigning a Custom “Locked Down” Role
So, what if you only want users to manage the groups they own, and you do not want them adding or removing groups? Well, in that case you would need to create a custom role and add it to the Default Role Assignment Policy. The process for doing this is outlined in the following steps.
Step 1. First, you need to create a new child role based on the existing MyDistributionGroups role. In this example I’ll call the role “OwnerDistributionGroups”, but you can use whatever name makes sense in your environment. Use the following syntax to create the role:
New-ManagementRole -Name OwnerDistributionGroups -Parent MyDistributionGroups
Step 2. Next, you need to remove the New-DistributionGroup and Remove-DistributionGroup cmdlets from your new custom role. You’ll use the Remove-ManagementRoleEntry cmdlet to do this, as shown below:
Remove-ManagementRoleEntry OwnerDistributionGroups\New-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry OwnerDistributionGroups\Remove-DistributionGroup -Confirm:$false
Step 3. Now that you’ve got the custom role created and customized to meet your requirements, you can assign it to the Default RoleAssignment Policy using the New-ManagementRoleAssignment cmdlet:
New-ManagementRoleAssignment -Role OwnerDistributionGroups -Policy "Default Role Assignment Policy"
At this point, users will be able to manage the groups they own, but they will not be able to add or remove new groups.
Summary
Allowing users to create, add and remove their own distribution groups can be a big decision for some organizations. If you plan on enabling distribution group management, you may allow end-users to add and remove their own groups, or you may choose to keep it locked down. Either way, you now have more options with RBAC.
[...] This post was mentioned on Twitter by Michael Francis, Antoine Khater. Antoine Khater said: RT @mfrancis49: OMG(!) – Allowing End-Users to Manage Distribution Group Membership in Exchange 2010 http://bit.ly/cKkUDM [...]
[...] Allowing End-Users to Manage Distribution Group Membership in Exchange 2010 SysAdmin talk [...]
Question:
I’m assuming that after creating and applying the ‘locked down’ policy we would want to remove the ‘MyDistributionGroups’ from the Default Role Assignment Policy, right? I’m not sure how the rights roll-up applies in this case.
Right, but you’ll only need to do that if you had previously assigned the MyDistributionGroups role. It’s not done by default.
The million dollar question I have is how can I have a security group be an owner of a distribution list and give everyone in that seurity group the ability to change members in the distribution list?
So does using the command:
New-ManagementRoleAssignment -Role OwnerDistributionGroups -Policy “Default Role Assignment Policy”
remove the
New-ManagementRoleAssignment -Role MyDistributionGroups -Policy “Default Role Assignment Policy”
Want to run so users can only modify members in groups they are admins of, and not allow them to create or remove groups.
This is awsome Thanks. How Can I add a description to the OwnerDistrubutionGroup Role? I just want to comment on the purpose of the Role so in a year when I’m i the ECP I will know its user created.
I guess I’m a little confused. By default having users manage distribution groups does not work in Exchange 2010, correct?
We have a couple of hundred groups that are managed by different groups (AD) in the company. They all manage the distribution groups. My confusion is how do I setup an owner? Can I mess up the default MyDistributionGroup RBAC? What and how do I setup a dist group owner?
Great article, just a little confused (just finished deployment and migrated 4500 users)
Thanks
By creating the policy with the following command, will the member of this group get the access manage any DL even the one that exists previously?
New-ManagementRoleAssignment -Role OwnerDistributionGroups -Policy “Default Role Assignment Policy”
This is a great article.
I am wondering how we can restrict users to modify the following: -
“DisplayName, ALias, Description and Ownership”
Ex: I tried to run this command
Remove-ManagementRoleEntry OwnerDistributionGroups\set-DistributionGroup -alias
Because I just want to restrict that user should not be able to change “Alias” of DL. Would you please advise how to remove just few of the parameters like “DisplayName, ALias, Description and Ownership”.
Thanks,
Raman
[...] Allowing End-Users to Manage Distribution Group Membership in Exchange 2010 [...]
What I’m gathering from this is that the end result is that users will be able to manage group membership but not create/remove groups.
What isn’t clear is if they will be able to do this through Outlook again.
Will performing this result in users being able to modify group membership in Outlook (provided they are owners of the groups they are trying to manage)?
Yes once you create the “locked down” role using the steps above, users who are in the “Managed By” list can add and remove members from the list using the Outlook global address book. Powershell commands worked great – thanks!
anyone…..how would you restrict users from modifying
“DisplayName, ALias, Description and Ownership” ?
[...] guide is based on an article here: http://sysadmin-talk.org/2010/06/omg-allowing-end-users-to-manage-distribution-group-membership-in-e… which details this process using the Exchange Management Shell in versions of Exchange prior to SP1 [...]
Hi there, i tried it, but still doesn’t work. do i have to wait couple of hours or one day?
Thanks
Thank you so much! It worked perfectly and you just saved me hours.
Thanks again!!
Didn’t work for me either. Works from OWA, but not from an Outlook 2007 client. Something I’m missing?
I’m missing one vital thing here… I’ve created the OwnerDistributionGroup but how to I add users to it? I see that you just have to add a user to the ManagedBy Permission on a group, but in Outlook the GAL still complains it doesnt have permissions. Seems like there is no tie in with the above procedure and the ManagedBy permission? Maybe AD takes a while to catch up? I cant even add/remove users as an Organization Management admin user in EMC… however I can manage them fine in OWA!
This is exactly the same as before when I had users added to the ‘Recipient Management’ Role.
mine is a very custom requirement. I have a group of users whom we do not want to be added in any group by our group members. How to restrict group owners by adding these range special users?
Hi, I have followed your doco & implemented this for our Exchange 2010 environment. My problem is that we are currently in the process of migrating mailbox from Exchange 2007 to 2010 & unfortunately when a person who is the owner of a 2007 set up group is moved, they no longer have permission to update the members. Do you know how to overcome this problem? Thankyou
Excellent advise – thanks for posting
hi
i after i made the steps that you described
my users are not able to manage distribution groups
why?