Managing distribution groups changed in Exchange 2010
You probably know the option “Manager can update membership list“. Setting this option in AD worked with Exchange 2003.
With Exchange 2010, when setting this option with the Exchange Management Console….simply does nothing regarding this!
Is it a bug? No it is turned off intentionally. This option is turned off through the Role Based Access Control feature. It can be turned on easily. But it also turns on extra functionalities that most companies do not want make available, the creation and deletion of company-wide distribution groups! But the flexibility of RBAC. Navigate to the ECP page of your Exchange server and choose to manage “My Organization” -> Navigate to “User Roles” -> Select “Default Role Assignment Policy” and select “Details“. Turn on the “My Distribution Groups” option:
After turning on this option (or before turning it on) decide if you want the creation and/or deletion of Distribution Groups to also become available. If not you can remove each CMDlet from the existing “MyDistributionGroups” managementrole.
To see what the possibilities are now, use the following command:
Get-ManagementRole mydistributiongroups | fl roleentries
Notice the “New-DistributionGroup” and “Remove-DistributionGroup“
These entries can be deleted in 2 ways. The typing way (Powershell) or the clicks from a mouse way (ADSIedit).
The Powershell option is as follows:
With ADSIedit navigate to the following:
Configuration -> Services -> Microsoft Exchange -> Your Organization Name -> RBAC -> Roles -> Select the properties of the CN=MyDistributionGroups and take a look to the msExchRoleEntries:
You can remove the lines beginning with
And that’s all!