Managing Distribution Groups in Outlook

Have you ever been wondering why managers are not able to manage the groups they are manager of? I have. Managing Distribution Groups in Outlook can cause you a headache so please read along.

Even though the user are manager of the Distribution Group they will get this by default.

managing distribution groups in outlook

This is due to the Default Role Assignment Policy. By default the “Default Role Assignment” is applied to all users.

Lets take a look at it. We can do it with PowerShell or in the ECP.

managing distribution groups in outlook

In the ECP we can see that the “Default Role Assignment Policy” contains a lot of Management Roles. One of them is “MyDistributionGroups” but that is not selected by default.

Why? Maybe because this Management Role is very powerfull. Too powerfull I think. A Management Role contains Role Entries. “MyDistributionGroups” contains these

managing distribution groups in outlook

As you can see it allows users to create new-distributiongroups. Who wants all their users to be able to create new distributiongroups in Exchange?

What can we do then? Microsoft Exchange Team provided us with a script back in 2009. This script creates a new RBAC role that is a child of “MyDistributionGroups”. It removes the cmdlests we don’t want users to have, new-distributiongroup and remove-distributiongroup. It then assigns the role to the Default Roles Assignment policy.

You can download the script here.

Start your powershell windows and run this command in order to be able to run the script

Set-ExecutionPolicy Unrestricted

Then run the script with these two parameters

.\Manage-GroupManagementRole.ps1 -CreateGroup -RemoveGroup

managing distribution groups in outlook

Now we can check the new created role and compare it with the Default.

managing distribution groups in outlook

As we can see, the new-distributiongroup and remove-distributiongroup is not present anymore.

In the ECP we can see the new role.

managing distribution groups in outlook

Now the users can manage membership of the groups of which they are managers.

Thanks for reading.

Regards

Steen Pedersen

 

Leave a Reply

Your email address will not be published. Required fields are marked *