If you currently allow your end-users to manage distribution group membership in a previous version of Exchange, you may be interested to know that like many things, the process for enabling this is completely different in Exchange 2010. This is because distribution group membership management permissions are now delegated through Role Based Access Control (RBAC).
How Does it Work?
The MyDistributionGroups management role is one of the built-in RBAC roles in Exchange 2010. This role gives end-users the ability to modify, view, remove, and add members to distribution groups they already own. In addition, the MyDistributionGroups Role provides the ability to create new distribution groups.
An end-users ownership of a group is designated by adding their account to the “Managed By” property of a distribution group. It is also set when the user creates a distribution group in ECP, once they’ve been assigned the MyDistributionGroups role.
Allowing users to add and remove distribution groups may not be desirable depending on your requirements, but keep reading, we’ll look at how you can restrict this later.
Assigning the MyDistributionGroups Role using ECP
To enable distribution group management for end-users, you first need to assign them the MyDistributionGroups role. The MyDistributionGroups role is considered a user role, and therefore is assigned using a Role Assignment Policy. By default, the MyDistributionGroups role is not added to the Default Role Assignment Policy, but you can use ECP to do this using the following steps.
Step 1. Log into OWA with an administrator account and click on Options in the top right corner.
Step 2. In the Select what to manage drop down, select My Organization and then click on User Roles.
Step 3. Highlight the Default Role Assignment Policy and then click the Details button.
Step 4. Under Roles You Can Assign, check My Distribution Groups.
Assign the MyDistributionGroups Role using EMS
You can also assign the MyDistributionGroups Role to the Default Role Assignment Policy using EMS. Use the New-MangementRoleAssignment cmdlet to perform the operation as shown here:
New-ManagementRoleAssignment -Role MyDistributionGroups -Policy "Default Role Assignment Policy"
Once you’ve added the MyDistributionGroups role to the Default Role Assignment Policy, your users will be able to manage their own distribution groups.
Creating and Assigning a Custom “Locked Down” Role
So, what if you only want users to manage the groups they own, and you do not want them adding or removing groups? Well, in that case you would need to create a custom role and add it to the Default Role Assignment Policy. The process for doing this is outlined in the following steps.
Step 1. First, you need to create a new child role based on the existing MyDistributionGroups role. In this example I’ll call the role “OwnerDistributionGroups”, but you can use whatever name makes sense in your environment. Use the following syntax to create the role:
New-ManagementRole -Name OwnerDistributionGroups -Parent MyDistributionGroups
Step 2. Next, you need to remove the New-DistributionGroup and Remove-DistributionGroup cmdlets from your new custom role. You’ll use the Remove-ManagementRoleEntry cmdlet to do this, as shown below:
Remove-ManagementRoleEntry OwnerDistributionGroups\New-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry OwnerDistributionGroups\Remove-DistributionGroup -Confirm:$false
Step 3. Now that you’ve got the custom role created and customized to meet your requirements, you can assign it to the Default RoleAssignment Policy using the New-ManagementRoleAssignment cmdlet:
New-ManagementRoleAssignment -Role OwnerDistributionGroups -Policy "Default Role Assignment Policy"
At this point, users will be able to manage the groups they own, but they will not be able to add or remove new groups.
Allowing users to create, add and remove their own distribution groups can be a big decision for some organizations. If you plan on enabling distribution group management, you may allow end-users to add and remove their own groups, or you may choose to keep it locked down. Either way, you now have more options with RBAC.