Managing a Distribution Group membership from Outlook in Exchange 2010 and Exchange 2013
In Exchange 2003 and Exchange 2007 to let a user manage distributions groups from Outlook we only set him as the distribution group owner and then he’ll be able to add and remove users from the D.G as needed.
Starting from Exchange 2010 we don’t leverage ACL anymore, we introduced RBAC (from more detail see my previous post)
Now, if we act as we used to do, meaning assign a user as a Distribution Group owner
And then try to modify the D.G membership from Outlook, this is the error you get
One more thing, by default in Exchange 2013, when you create a D.G it will be configured in a way that anyone can join it or leave it without approval
You need to change the default setting to make a Distribution Group closed or to require the owner approval.
For this blog, we’ll make the D.G closed
We need to use an existing RBAC user Role or create a new one if the build-in role has more permission than what we want to grant to the end users.
To understand what are the RBAC permissions granted to the end users by default, you need to look at the “Default Role Assignment Policy”
As you can see, there is a RBAC role called “MyDistributionGroups” that is not added to the default policy.
To understand now what kind of things can be done with this Role, we need to run this PowerShell command
Get-ManagementRoleEntry "MyDistributionGroups\*" |
From the output we can understand that any user for which we grant this role will be able NOT ONLY to manage Distribution Groups, but also to create and remove D.Gs
In this blog we’ll focus on how to give the end users the same permissions they have when they were assigned as the D.G owner in Exchange 2003 and Exchange 2007.
For that, we need to create a custom RBAC Role that has “MyDistrbutionGroups” as parent by running this PowerShell command
New-ManagementRole -Name "Enterprise Distribution Groups Management" -Parent "MyDistributionGroups" |
We need now the customize this RBAC Role by removing the “Extra” permissions not required for the end users
- We need to prevent them from modifying the D.Gs properties, from the PowerShell, run the Command below
Get-ManagementRoleEntry "Enterprise Distribution Groups Management\set-*" | Remove-ManagementRoleEntry -Confirm:$false |
- We need to prevent them from creating new D.Gs by running the Command below
Get-ManagementRoleEntry "Enterprise Distribution Groups Management\New-*" | Remove-ManagementRoleEntry -Confirm:$false |
- We need to prevent them from removing D.Gs by running the Command below
Get-ManagementRoleEntry "Enterprise Distribution Groups Management\ Remove-DistributionGroup" | Remove-ManagementRoleEntry -Confirm:$false |
Now we need to check what are the permissions left for this RBAC custom Users Role
Get-ManagementRoleEntry "Enterprise Distribution Groups Management\*" |
As you can see, when we going to add this Custom Role to the “Default Role Assignment Policy” the users that will be granted as a Distribution Group owners will only be able to manage the D.G membership.
Now we need to add this Role to the “Default Role Assignment Policy”
Doing the test again from Outlook, you see that now we can add and remove Distribution Groups members as required
Ghazi Boufaden from NEPA PFE team.