Allowing End-Users to Manage Distribution Group Membership in Exchange 2010

Posted by Mike Pfeiffer in email, Exchange, Exchange 2010, IT Professional, Outlook, SysAdmin on 01-06-2010

Tags: , , , , ,

If you currently allow your end-users to manage distribution group membership in a previous version of Exchange, you may be interested to know that like many things, the process for enabling this is completely different in Exchange 2010. This is because distribution group membership management permissions are now delegated through Role Based Access Control (RBAC).

How Does it Work?

The MyDistributionGroups management role is one of the built-in RBAC roles in Exchange 2010. This role gives end-users the ability to modify, view, remove, and add members to distribution groups they already own. In addition, the MyDistributionGroups Role provides the ability to create new distribution groups.

An end-users ownership of a group is designated by adding their account to the “Managed By” property of a distribution group. It is also set when the user creates a distribution group in ECP, once they’ve been assigned the MyDistributionGroups role.

Allowing users to add and remove distribution groups may not be desirable depending on your requirements, but keep reading, we’ll look at how you can restrict this later.

Assigning the MyDistributionGroups Role using ECP

To enable distribution group management for end-users, you first need to assign them the MyDistributionGroups role. The MyDistributionGroups role is considered a user role, and therefore is assigned using a Role Assignment Policy. By default, the MyDistributionGroups role is not added to the Default Role Assignment Policy, but you can use ECP to do this using the following steps.

Step 1. Log into OWA with an administrator account and click on Options in the top right corner.

Step 2. In the Select what to manage drop down, select My Organization and then click on User Roles.

Step 3. Highlight the Default Role Assignment Policy and then click the Details button.

Step 4. Under Roles You Can Assign, check My Distribution Groups.

Assign the MyDistributionGroups Role using EMS

You can also assign the MyDistributionGroups Role to the Default Role Assignment Policy using EMS. Use the New-MangementRoleAssignment cmdlet to perform the operation as shown here:

New-ManagementRoleAssignment -Role MyDistributionGroups -Policy "Default Role Assignment Policy"

Once you’ve added the MyDistributionGroups role to the Default Role Assignment Policy, your users will be able to manage their own distribution groups.

Creating and Assigning a Custom “Locked Down” Role

So, what if you only want users to manage the groups they own, and you do not want them adding or removing groups? Well, in that case you would need to create a custom role and add it to the Default Role Assignment Policy. The process for doing this is outlined in the following steps.

Step 1. First, you need to create a new child role based on the existing MyDistributionGroups role. In this example I’ll call the role “OwnerDistributionGroups”, but you can use whatever name makes sense in your environment. Use the following syntax to create the role:

New-ManagementRole -Name OwnerDistributionGroups -Parent MyDistributionGroups

Step 2. Next, you need to remove the New-DistributionGroup and Remove-DistributionGroup cmdlets from your new custom role. You’ll use the Remove-ManagementRoleEntry cmdlet to do this, as shown below:

Remove-ManagementRoleEntry OwnerDistributionGroups\New-DistributionGroup -Confirm:$false

Remove-ManagementRoleEntry OwnerDistributionGroups\Remove-DistributionGroup -Confirm:$false

Step 3. Now that you’ve got the custom role created and customized to meet your requirements, you can assign it to the Default RoleAssignment Policy using the New-ManagementRoleAssignment cmdlet:

New-ManagementRoleAssignment -Role OwnerDistributionGroups -Policy "Default Role Assignment Policy"

At this point, users will be able to manage the groups they own, but they will not be able to add or remove new groups.

Summary

Allowing users to create, add and remove their own distribution groups can be a big decision for some organizations. If you plan on enabling distribution group management, you may allow end-users to add and remove their own groups, or you may choose to keep it locked down. Either way, you now have more options with RBAC.

Comments (47)

[...] This post was mentioned on Twitter by Michael Francis, Antoine Khater. Antoine Khater said: RT @mfrancis49: OMG(!) – Allowing End-Users to Manage Distribution Group Membership in Exchange 2010 http://bit.ly/cKkUDM [...]

[...] Allowing End-Users to Manage Distribution Group Membership in Exchange 2010 SysAdmin talk [...]

Question:

I’m assuming that after creating and applying the ‘locked down’ policy we would want to remove the ‘MyDistributionGroups’ from the Default Role Assignment Policy, right? I’m not sure how the rights roll-up applies in this case.

Right, but you’ll only need to do that if you had previously assigned the MyDistributionGroups role. It’s not done by default.

How would you do that ? because i have just followed above mentioned steps.

Do we have an answer how to do that?
Thanks

The million dollar question I have is how can I have a security group be an owner of a distribution list and give everyone in that seurity group the ability to change members in the distribution list?

So does using the command:
New-ManagementRoleAssignment -Role OwnerDistributionGroups -Policy “Default Role Assignment Policy”

remove the

New-ManagementRoleAssignment -Role MyDistributionGroups -Policy “Default Role Assignment Policy”

Want to run so users can only modify members in groups they are admins of, and not allow them to create or remove groups.

This is awsome Thanks. How Can I add a description to the OwnerDistrubutionGroup Role? I just want to comment on the purpose of the Role so in a year when I’m i the ECP I will know its user created.

As far as I know, you can only set the description during creation of the management role:

New-ManagementRole -Name OwnerDistributionGroups -Parent MyDistributionGroups -Description “Allow distribution group owners to modify group membership.”

Ashley.

I guess I’m a little confused. By default having users manage distribution groups does not work in Exchange 2010, correct?

We have a couple of hundred groups that are managed by different groups (AD) in the company. They all manage the distribution groups. My confusion is how do I setup an owner? Can I mess up the default MyDistributionGroup RBAC? What and how do I setup a dist group owner?

Great article, just a little confused (just finished deployment and migrated 4500 users)

Thanks

By creating the policy with the following command, will the member of this group get the access manage any DL even the one that exists previously?
New-ManagementRoleAssignment -Role OwnerDistributionGroups -Policy “Default Role Assignment Policy”

This is a great article.
I am wondering how we can restrict users to modify the following: -
“DisplayName, ALias, Description and Ownership”
Ex: I tried to run this command
Remove-ManagementRoleEntry OwnerDistributionGroups\set-DistributionGroup -alias

Because I just want to restrict that user should not be able to change “Alias” of DL. Would you please advise how to remove just few of the parameters like “DisplayName, ALias, Description and Ownership”.
Thanks,
Raman

Indeed following the guidance in this article allows the DL owner(s) to modify attributes like DisplayName, Alias, etc..

This can be prevented by also running these commands:
Remove-ManagementRoleEntry OwnerDistributionGroups\Set-Group -Confirm:$false
Remove-ManagementRoleEntry OwnerDistributionGroups\Set-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry OwnerDistributionGroups\Set-DynamicDistributionGroup -Confirm:$false

There is a drawback to this however, it will prevent DL owners from modifying membership using OWA. Modifying membership using Outlook is not affected.

Ashley.

[...] Allowing End-Users to Manage Distribution Group Membership in Exchange 2010 [...]

What I’m gathering from this is that the end result is that users will be able to manage group membership but not create/remove groups.

What isn’t clear is if they will be able to do this through Outlook again.

Will performing this result in users being able to modify group membership in Outlook (provided they are owners of the groups they are trying to manage)?

Yes once you create the “locked down” role using the steps above, users who are in the “Managed By” list can add and remove members from the list using the Outlook global address book. Powershell commands worked great – thanks!

anyone…..how would you restrict users from modifying
“DisplayName, ALias, Description and Ownership” ?

Please see my other comment.

[...] guide is based on an article here: http://sysadmin-talk.org/2010/06/omg-allowing-end-users-to-manage-distribution-group-membership-in-e… which details this process using the Exchange Management Shell in versions of Exchange prior to SP1 [...]

Hi there, i tried it, but still doesn’t work. do i have to wait couple of hours or one day?

Thanks

Thank you so much! It worked perfectly and you just saved me hours.

Thanks again!!

Didn’t work for me either. Works from OWA, but not from an Outlook 2007 client. Something I’m missing?

Exact same boat here. I applied this technique and it works for the users from OWA, but not from Outlook 2007. What am I missing?

Exchange 2010sp2

Is there anyone who knows a solution for this issue? I also am currently running exchange2010 hosted. When the users use the DL in OWA it works as designed. However, if I set up the user on the exchange 2007 client everything expect the DL work. So they can see the DL but when they expand it there are no users in it. While there should be a couple of 10-15 people in it ( in OWA it does work ). Please, does anyone has a solution for this?

I’m missing one vital thing here… I’ve created the OwnerDistributionGroup but how to I add users to it? I see that you just have to add a user to the ManagedBy Permission on a group, but in Outlook the GAL still complains it doesnt have permissions. Seems like there is no tie in with the above procedure and the ManagedBy permission? Maybe AD takes a while to catch up? I cant even add/remove users as an Organization Management admin user in EMC… however I can manage them fine in OWA!

This is exactly the same as before when I had users added to the ‘Recipient Management’ Role.

mine is a very custom requirement. I have a group of users whom we do not want to be added in any group by our group members. How to restrict group owners by adding these range special users?

Hi, I have followed your doco & implemented this for our Exchange 2010 environment. My problem is that we are currently in the process of migrating mailbox from Exchange 2007 to 2010 & unfortunately when a person who is the owner of a 2007 set up group is moved, they no longer have permission to update the members. Do you know how to overcome this problem? Thankyou

Excellent advise – thanks for posting

nice article, worked straight away for normal distribution groups, doesn’t seems to work for security enabled distribution groups (or does that require some more permissions to be changed)
group is set to ApprovelRequired (for joining) and Managedby is also set correctly.

hi
i after i made the steps that you described
my users are not able to manage distribution groups
why?

Yay!! Thanks so much! For those that still didn’t get it to work you have to assign the “My Distribution Groups” piece too (first part on this page) since this is a child Group to it. Otherwise it won’t apply to your users through the “Default Role Assignment Policy”.

[...] We have multiple domains in our AD forest if your working with an object in a domain other than the one your logged into you have to use the –domaincontroller <FQDN> with your commands from the domain the object you want to modify. Allowing End-Users to Manage Distribution Group Membership in Exchange 2010 [...]

I have ran through the steps…i have found that the role works in OWA but when trying it in outlook the same error happens.

Same with me. Does not work in Outlook 2010 :(

Fantastic solution and well documented!!

FYI: the solution to this in my environment was to set the groups in question from Global to Universal. After changing them to Universal, it worked in both OWA and Outlook.

Hi,
Thank you very much. It worked perfectly well for me.

Hi Nina,
Can you please guide me, I have create a new user role from RBAC and only check on box”MyDistributionGroupMembership” and in active directory i have put owner name of distribution group in “Managed by” tab and also check option “Manager can update member list” but still my client is getting error when he try to add or remove member from distribution group from Outlook 2010.
Please advice me solution at shozii1@yahoo.com

Regards,
Sarfraz

Awesome! well explained & works well!!

If the group is not part of the global address list can the person who owns the group still control who has access to it? What we are seeing is that the group has to be on the global address list. We are looking for a way to edit membership by the owner even when they group is not part of the global address list.

After performing the scripts and adding members to these management groups they seem to be only able to add and delete people from the distribution group. They can add a mail enabled contact if they already exist on the Exchange server. This really doesn’t solve any issues from a separate IT from the End user issue we have. I’m looking for a solution that allows the Administrative Assistant(s) – more than one will have access to the same distribution group for coverage- to get a call from “external contact” saying they are not recieving emails and then be able to add or MODIFY the SMTP address which is incorrect or no longer applicable for them.

Is this possible with Exhchange 2010?

The SYSADMIN is unable to give me the rights to change “My Distribution Groups” – Add or Remove under properties. We have tried several times but still give the message “Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform the operation on this object”. What could be the problem?

Thanks this works like a charm

THANK YOU!!!! Worked Great

We are a mixed 2007/2010 (migrating to 2010). Will this have any effects on the 2007 users and their distribution groups?
Thanks
Doug

Help

I ran through the steps in this article and now I can’t view any recipient information in EMC.. please help!

Regards
Gareth

Write a comment