Exchange 2010/2013 – How to give permissions to users to manage Universal Security Distribution Lists (must use RBAC)

Users on Exchange 201x who try to update or create a Distribution List may get the following error message:

"Changes to the public group membership cannot be saved. You do not have sufficient permission to perform this operation on this object.”



Usually, it’s because they don’t have the permissions (reminder: RBAC only for Exchange 2010 users) to create or modify security groups).

Depending if you wish to assign the permissions to manage Distribution Groups to Administrators or to users, you will either create, customize or assign the Security group creation and membership RBAC role  or the "MyDistributionGroups" role.


I- For users to enable distribution group owners to add/remove users from their distribution groups:

Easiest way to achieve this is by using a script that automates the steps to enable group owners to manage their distribution groups (create, delete groups, add, remove group members):


This script does the following:

  1. Creates a new RBAC role that is a child of the MyDistributionGroups Role
  2. Removes the cmdlets remove-distributiongroup and new-distributiongroup from the new role that was just created.
  3. Assigns the new role to the Default Role Assignment Policy

When complete your users will be able to manage distribution groups but not create or remove them.

Link to the script

Syntax :

Manage-GroupManagementRole -CreateGroup -RemoveGroup


II- For helpdesk or "Distribution Group administrators"

To assign these permissions to a security group in which you add users (recommended) or to a single user:

1 – First create a security group

2 – All the DL owners should be member of this group ( This way you do not have to assign permissions to individual users, it will be easier to manage permissions Only for the required users, )

3 – Assign permissions to security group (recommended)

  • New-managementroleassignment –role “Security group creation and membership” –securitygroup “DL Owners”

or to assign the roles directly to user

  • New-managementroleassignment –role “Security group creation and membership” –User “username”

5 – Add all the users who needs to manage DL’s to the security group

6 – Wait for AD Replication

7 – now users will be able to manage Mail enabled Security DL using outlook

8 – Any helpdesk users can use Exchange management shell and manage DL membership

9 - logout and login to their outlooks and try to change the Security group membership



NOTE : If you configured Outlook 2010 or earlier to directly use a GC (using the “ClosestGC” or the “DS Server” registry key) as per , users won’t be able to manage DL memberships or creation as this will bypass RBAC check and use AD permissions instead – it’s not recommended you give users direct AD permissions – Also remember that the registry keys described in the above article (KB 319206) works, but is NOT SUPPORTED when mailboxes are in Exchange 2010/2013 (one example why is the bypass of RBAC permissions for AD related operations like DL management). So please only use these for troubleshooting purposes.



Comments (3)
  1. Robert says:

    Thanks for the info. How would i go about adding members in a resource forest scenario? Where i would add their username from the account forest to the mailbox forest group? Would this allow all users (using the account forest logins) to edit all DistroGroups
    in the (Mailbox Forest) ? Thanks Robert

  2. says:

    I have found that permissions should be granted to the resource account in order for the permissions to be handled correctly. The user will use outlook through their user domain account and then based on the Exchange Master Account attribute in the resource forest the permissions will pass through to the disabled user.

  3. Mikel says:

    Worked like a charm! A little wonky doing this via the gui instead of command line, but works perfectly. Thank! 🙂

Comments are closed.

Skip to main content