none
Preventing end users from changing the Display Name and Alias for Distribution Lists in OWA / Exchange 2010

    Question

  • Is there anyway to disable the option to change the Display Name and Alias in the Details screen of the 'Public Groups I Own' section of OWA?  Our organization allows one person in each department to manage their department distribution list so we added a custom role to My Distribution Groups that only allows the end user to add / remove members from the department distribution list.  The end user is unable to create or delete Distribution Lists.

    During testing it was discovered that the owner can change the Display Name and the Alias under the General section of the Details screen for the Distribution List in OWA.  The changes are then reflected in EMC.  We do not want end users to be able to make changes to the Display Name or the Alias and was wondering if there is a way to customize this role to prevent this from occurring.

    Thanks!
    Katerina

    Friday, October 04, 2013 9:37 PM

Answers

  • The topic of RBAC customization isn't something that can be explained in a single forum post! It's a concept that's very powerful, but foreign to what those of us that are used to the "NTFS" model of assigning permissions and rights are used to.

    Rather than me elaborate on what you need to do (which has nothing to do with Powershell), this is a decent place to start:

    http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html

    You'll find other informational articles from many sources if you look for "rbac exchange 2010" in google or bing.

    I *think* you'll find that there's a problem with the users that are assigned membership in a group that gives them too must access. You'll have to create another group, another RBAC role (based on the "distribution groups"), and restrict the use of the aforementioned parameters in those cmdlets.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Monday, October 07, 2013 10:03 PM

All replies

  • Don't make them owners?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Saturday, October 05, 2013 8:14 PM
  • Are those users in any RBAC role group that has the Management Role "Distribution Groups" in it? If they are you'll have to create and assign a customized role that prohibits them from using the "-DisplayName" and -"Alias" parameters on the Set-Group, Set-DistributionGroup, and Set-DynamicDistributiongroup cmdlets.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Sunday, October 06, 2013 8:40 PM
  • Hi,

    Let’s begin with the following article:

    http://sysadmin-talk.org/2010/06/omg-allowing-end-users-to-manage-distribution-group-membership-in-exchange-2010-2/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    And to restrict end users to modify DisplayName and  Alias, we can take a chance to run the following commands:

    Remove-ManagementRoleEntry OwnerDistributionGroups\Set-Group -Confirm:$false
    Remove-ManagementRoleEntry OwnerDistributionGroups\Set-DistributionGroup -Confirm:$false
    Remove-ManagementRoleEntry OwnerDistributionGroups\Set-DynamicDistributionGroup -Confirm:$false

    Thanks,

    Angela

    Monday, October 07, 2013 9:20 AM
    Moderator
  • Rich - Thank you for the information on restricting the end users ability to modify the DisplayName and Alias of a Distribution Group.

    Our network admin ran the scripts listed in the link Angela posted that removes the end users ability to create / delete Distribution Groups called EndUser Distribution Groups.  This modified role is a child of the My Distribution Groups role in the Default Role Assignment Policy.

    What commands would I run to restrict the users ability to modify the display name / alias for Set-Group, Set-DistributionGroup, Set-DynanmicDistributionGroup.

    I am fairly new to Powershell Commands so any information that you can provide would be greatly appreciated.

    Thanks!

    Katerina

    Monday, October 07, 2013 2:00 PM
  • Angela - Thanks for the information! Out network admin ran the commands that are listed in the link that you posted so we have restricted the end users ability to create / remove Distribution Lists.  We have a custom role that is a child of the My Distribution Groups under the Default Role Assignment Policy.

    Do these commands modify the Default Role Assignment or the Recipient Management Role?  I am fairly new to PowerShell Commands and RBAC so I am trying to understand how these commands work on the backend.

    Thanks!
    Katerina

    Monday, October 07, 2013 2:07 PM
  • The topic of RBAC customization isn't something that can be explained in a single forum post! It's a concept that's very powerful, but foreign to what those of us that are used to the "NTFS" model of assigning permissions and rights are used to.

    Rather than me elaborate on what you need to do (which has nothing to do with Powershell), this is a decent place to start:

    http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-role-based-access-control-part1.html

    You'll find other informational articles from many sources if you look for "rbac exchange 2010" in google or bing.

    I *think* you'll find that there's a problem with the users that are assigned membership in a group that gives them too must access. You'll have to create another group, another RBAC role (based on the "distribution groups"), and restrict the use of the aforementioned parameters in those cmdlets.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Monday, October 07, 2013 10:03 PM
  • Thanks, Rich.  I appreciate the information and will review the links you provided.

    Katerina

    Tuesday, October 08, 2013 1:49 PM