Managing Distribution Groups in Outlook
January 28, 2014
Have you ever been wondering why managers are not able to manage the groups they are manager of? I have. Managing Distribution Groups in Outlook can cause you a headache so please read along.
Even though the user are manager of the Distribution Group they will get this by default.
This is due to the Default Role Assignment Policy. By default the “Default Role Assignment” is applied to all users.
Lets take a look at it. We can do it with PowerShell or in the ECP.
In the ECP we can see that the “Default Role Assignment Policy” contains a lot of Management Roles. One of them is “MyDistributionGroups” but that is not selected by default.
Why? Maybe because this Management Role is very powerfull. Too powerfull I think. A Management Role contains Role Entries. “MyDistributionGroups” contains these
As you can see it allows users to create new-distributiongroups. Who wants all their users to be able to create new distributiongroups in Exchange?
What can we do then? Microsoft Exchange Team provided us with a script back in 2009. This script creates a new RBAC role that is a child of “MyDistributionGroups”. It removes the cmdlests we don’t want users to have, new-distributiongroup and remove-distributiongroup. It then assigns the role to the Default Roles Assignment policy.
You can download the script here.
Start your powershell windows and run this command in order to be able to run the script
Then run the script with these two parameters
.\Manage-GroupManagementRole.ps1 -CreateGroup -RemoveGroup
Now we can check the new created role and compare it with the Default.
As we can see, the new-distributiongroup and remove-distributiongroup is not present anymore.
In the ECP we can see the new role.
Now the users can manage membership of the groups of which they are managers.
Thanks for reading.