locked
Permission to Set Managers On Distribution Groups in Exchange 2010 RRS feed

  • Question

  • We have over 900 distribution groups in our organization. 
    Is there a way in exchange 2010 to give a user or group the ability to modify Managers of Distribution Groups of them without having to make them an owner of each individual list?




     
    • Edited by Alvi932 Tuesday, June 16, 2015 9:01 PM
    Tuesday, June 16, 2015 8:45 PM

Answers

  • HI,

    You may consider to use RBAC, refer to this document:

    https://technet.microsoft.com/en-us/library/dd298183(v=exchg.141).aspx

    Following are my steps for reference:

    Create a new management role group

    New-RoleGroup –Name DGManagement

    Create a new management role

    New-ManagementRole -Parent "Distribution Groups" -Name "DG role"

    Configure the role entry with necessary cmdlets.

    Use this command to remove all cmdlets except Set-DistributionGroup

    Get-ManagementRoleEntry “DG role\*” | where {$_.name –ne “Set-DistributionGroup”} | Remove-ManagementRoleEntry

    Add necessary cmdlets one by one

    Add-ManagementRoleEntry "DG Role\Get-Recipient"

    Add-ManagementRoleEntry "DG Role\Set-Group"

    Add-ManagementRoleEntry "DG Role\Get-User"

    Add-ManagementRoleEntry "DG Role\Get-Group"

    Add-ManagementRoleEntry "DG Role\Get-DistributionGroup"

    Configure the role entry with necessary parameters to manage the "manage" tab, remove all unnecessary parameters except “ManagedBy”

    Set-ManagementRoleEntry "DG Role\Set-DistributionGroup" –Parameters AcceptMessagesOnlyFrom, AcceptMessagesOnlyFromDLMembers, AcceptMessagesOnlyFromSendersOrMembers, Alias, BypassModerationFromSendersOrMembers, BypassNestedModerationEnabled, Confirm, CustomAttribute1, CustomAttribute10, CustomAttribute11, CustomAttribute12, CustomAttribute13, CustomAttribute14, CustomAttribute15, CustomAttribute2, CustomAttribute3, CustomAttribute4, CustomAttribute5, CustomAttribute6, CustomAttribute7, CustomAttribute8, CustomAttribute9, Debug, DisplayName, DomainController, EmailAddresses, EmailAddressPolicyEnabled, ErrorAction, ErrorVariable, ExpansionServer, ExtensionCustomAttribute1, ExtensionCustomAttribute2, ExtensionCustomAttribute3, ExtensionCustomAttribute4, ExtensionCustomAttribute5, ForceUpgrade, GrantSendOnBehalfTo, HiddenFromAddressListsEnabled, Identity, IgnoreDefaultScope, IgnoreNamingPolicy, MailTip, MailTipTranslations, MaxReceiveSize, MaxSendSize, MemberDepartRestriction, MemberJoinRestriction, ModeratedBy, ModerationEnabled, Name, OutBuffer, OutVariable, PrimarySmtpAddress, RejectMessagesFrom, RejectMessagesFromDLMembers, RejectMessagesFromSendersOrMembers, ReportToManagerEnabled, ReportToOriginatorEnabled, RequireSenderAuthenticationEnabled, RoomList, SamAccountName, SendModerationNotifications, SendOofMessageToOriginatorEnabled, SimpleDisplayName, Verbose, WarningAction, WarningVariable, WhatIf, WindowsEmailAddress –RemoveParameter

    Check with this command

    Get-ManagementRoleEntry "DG Role\Set-DistributionGroup" | fl parameters

    Add this new management role to new management role group.

    1. In the ECP, navigate to Roles & Auditing > Adminitrators Roles.
    2. Select the ‘DGManagement’role group, and then click Details.
    3. In the Roles section, add  the ‘DG Role’.
    4. When you’ve finished adding roles to the role group, click Save.

    Add distribution group or user to a member of the new management role group.

    1. In the EAC, navigate to Roles & Auditing > Administrator Roles.
    2. Select the ‘DGManagement’ role group, and then click Details.
    3. In the Members section, select the group or user you want to add.
    4. When you’ve finished adding members to the role group, click Save.

    When these users login ECP, results should be like the following screen shoot, then can only edit ownership tab.

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    Wednesday, June 17, 2015 7:20 AM
    Moderator
  • Hi,

    To manage universal security groups, we need to create another new management role.

    Security Group Creation and Membership role

    https://technet.microsoft.com/en-us/library/dd876860(v=exchg.150).aspx

    Like this:

    New-ManagementRole -Parent "Security Group Creation and Membership" -Name "SG role"

    The next steps are the same above. 

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    • Marked as answer by Alvi932 Wednesday, July 1, 2015 11:00 AM
    Tuesday, June 30, 2015 2:30 AM
    Moderator

All replies

  • HI,

    You may consider to use RBAC, refer to this document:

    https://technet.microsoft.com/en-us/library/dd298183(v=exchg.141).aspx

    Following are my steps for reference:

    Create a new management role group

    New-RoleGroup –Name DGManagement

    Create a new management role

    New-ManagementRole -Parent "Distribution Groups" -Name "DG role"

    Configure the role entry with necessary cmdlets.

    Use this command to remove all cmdlets except Set-DistributionGroup

    Get-ManagementRoleEntry “DG role\*” | where {$_.name –ne “Set-DistributionGroup”} | Remove-ManagementRoleEntry

    Add necessary cmdlets one by one

    Add-ManagementRoleEntry "DG Role\Get-Recipient"

    Add-ManagementRoleEntry "DG Role\Set-Group"

    Add-ManagementRoleEntry "DG Role\Get-User"

    Add-ManagementRoleEntry "DG Role\Get-Group"

    Add-ManagementRoleEntry "DG Role\Get-DistributionGroup"

    Configure the role entry with necessary parameters to manage the "manage" tab, remove all unnecessary parameters except “ManagedBy”

    Set-ManagementRoleEntry "DG Role\Set-DistributionGroup" –Parameters AcceptMessagesOnlyFrom, AcceptMessagesOnlyFromDLMembers, AcceptMessagesOnlyFromSendersOrMembers, Alias, BypassModerationFromSendersOrMembers, BypassNestedModerationEnabled, Confirm, CustomAttribute1, CustomAttribute10, CustomAttribute11, CustomAttribute12, CustomAttribute13, CustomAttribute14, CustomAttribute15, CustomAttribute2, CustomAttribute3, CustomAttribute4, CustomAttribute5, CustomAttribute6, CustomAttribute7, CustomAttribute8, CustomAttribute9, Debug, DisplayName, DomainController, EmailAddresses, EmailAddressPolicyEnabled, ErrorAction, ErrorVariable, ExpansionServer, ExtensionCustomAttribute1, ExtensionCustomAttribute2, ExtensionCustomAttribute3, ExtensionCustomAttribute4, ExtensionCustomAttribute5, ForceUpgrade, GrantSendOnBehalfTo, HiddenFromAddressListsEnabled, Identity, IgnoreDefaultScope, IgnoreNamingPolicy, MailTip, MailTipTranslations, MaxReceiveSize, MaxSendSize, MemberDepartRestriction, MemberJoinRestriction, ModeratedBy, ModerationEnabled, Name, OutBuffer, OutVariable, PrimarySmtpAddress, RejectMessagesFrom, RejectMessagesFromDLMembers, RejectMessagesFromSendersOrMembers, ReportToManagerEnabled, ReportToOriginatorEnabled, RequireSenderAuthenticationEnabled, RoomList, SamAccountName, SendModerationNotifications, SendOofMessageToOriginatorEnabled, SimpleDisplayName, Verbose, WarningAction, WarningVariable, WhatIf, WindowsEmailAddress –RemoveParameter

    Check with this command

    Get-ManagementRoleEntry "DG Role\Set-DistributionGroup" | fl parameters

    Add this new management role to new management role group.

    1. In the ECP, navigate to Roles & Auditing > Adminitrators Roles.
    2. Select the ‘DGManagement’role group, and then click Details.
    3. In the Roles section, add  the ‘DG Role’.
    4. When you’ve finished adding roles to the role group, click Save.

    Add distribution group or user to a member of the new management role group.

    1. In the EAC, navigate to Roles & Auditing > Administrator Roles.
    2. Select the ‘DGManagement’ role group, and then click Details.
    3. In the Members section, select the group or user you want to add.
    4. When you’ve finished adding members to the role group, click Save.

    When these users login ECP, results should be like the following screen shoot, then can only edit ownership tab.

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    Wednesday, June 17, 2015 7:20 AM
    Moderator
  • Hi Lynn-Li,

    Thanks for a nice and useful post.

    Could you please clarify the below things.

    1) If apply above procedure (copy & Paste) it's only provide Members of the DG Management group to edit ( add / remove) the Managers (Managed by) of all distribution group? Existing Managers (Managed by) will replace by DG Management? 

    2)  A user is a member of the "Help DesK" group. When he wants to add a  Manager to any distribution group he got the error message: "You don't have sufficient permissions. This operation can only be performed by a manager of the group." Currently Member listed in the "Manage by" and Exchange Organization Management Administrator can perform this without any error. If a user is already member of " Help Desk" group and additionally we added them to "DG Management Group" does the user will lost any rights which he got already  part of "Help Desk" group? or the effective right will be Help Desk + DG Management  ( right to add/ delete Managers in all Distribution group.)

    3) Will the above procedure replace existing Managers (Managed by) in the Distribution Group by "DG Management" member? for example we have 900+ Distribution group. Each Distribution Group has 2/3 different Managers in the Managed By. They can edit (add/delete)another managers in their individual distribution group + Exchange Administrator can edit all the Managers(Managed By). If follow your above procedure and add some members on Help Desk and DG management group will they get HELP DESK + right to edit Managers ( Managed BY)?

    4) Will "DG Management" Members name will show in the Mangers (Managed by) in all the Distribution Groups? 

    Monday, June 22, 2015 1:43 AM
  • Hi,

    1. Yes, only Members of the DG Management group can edit the Managers of all distribution groups. Existing Managers will not be replace by DG Management. It’s just a group to help you manage your organization.

    2. Yes, effective right will be Help Desk + DG Management. Users in " Help Desk" group will not lost any rights under "Help Desk" group.

    3. No, my method will not replace existing Managers in the Distribution Group. Members in Help Desk and DG management group will get HELP DESK + rights to edit Managers.

    4. No, ‘DG Management" Members name will not show in the Mangers in all the Distribution Groups except someone set them as the manager.

    Anyway, RBAC only give other users one or more access of Administrator to manage organization.

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    Tuesday, June 23, 2015 9:55 AM
    Moderator
  • Hi Lynn,

    Added a test user in the DG Management group.

    Now for some of the Distribution groups they can add the Managers without any error.

    But Most of the Distributions group if the test user wants to add Managers (Managed By) still getting the error message "You don't have sufficient permissions. This operation can only be performed by a manager of the group."

    Wednesday, June 24, 2015 3:12 AM
  • Hi,

    What's the type of those groups? Are they security groups or dynamic groups?

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    Tuesday, June 30, 2015 1:09 AM
    Moderator
  • Hi Lynn,

    Mail universal Security Group

    Tuesday, June 30, 2015 1:31 AM
  • Hi,

    To manage universal security groups, we need to create another new management role.

    Security Group Creation and Membership role

    https://technet.microsoft.com/en-us/library/dd876860(v=exchg.150).aspx

    Like this:

    New-ManagementRole -Parent "Security Group Creation and Membership" -Name "SG role"

    The next steps are the same above. 

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    • Marked as answer by Alvi932 Wednesday, July 1, 2015 11:00 AM
    Tuesday, June 30, 2015 2:30 AM
    Moderator