none
How do I use RBAC to allow users in a security group the ability to manage all the distribution groups within a particular OU?

    Question

  • I tried adding a management role assignment to the "Distribution Groups" role and use -RecipientOrganizationalUnitScope to define the OU. This lets the users see all the distribution groups but they do not have write access. Do I somehow need to define -CustomConfigWriteScope for the assignment?

    Update - I should add that I'm trying to get this to work using ECP.
    Friday, February 19, 2010 5:30 PM

All replies

  • Tim-

    Have you tried something like this?

    New-ManagementRoleAssignment "Distribution Groups Full Control" -Role "Distribution Groups" -SecurityGroup "YourSecurityGroup" -RecipientOrganizationalUnitScope "domain.com/foobar/groups/distribution"

    Active Directory, 4th Edition - www.briandesmond.com/ad4/
    Sunday, February 21, 2010 6:52 PM
  • This is pretty much exactally what I tried first.

    Created a new role in case I want to tweek it:
    New-ManagementRole -Parent "Distribution Groups" -Name DistributionGroupsCustom

    Assigned that role using recipientorganizationalunitscope:
    New-ManagementRoleAssignment -Name "DistributionGroupsCustom_Exchange Resource Unit Managers" -SecurityGroup "****: Exchange Resource Unit Managers" -Role "DistributionGroupsCustom" -RecipientOrganizationalUnitScope "****.edu/Exchange Resource Units"

    When I login to the EMC with a member of the security group used above I can see all the distribution groups on the "My Organization" > "Public Groups" tab but all the properties are greyed out.

    What am I missing?
    Monday, February 22, 2010 3:29 PM
  • Hi,

    Please try to use the following cmdlt:

    New-ManagementRoleAssignment -Name "Distribution Groups_North America Exec Assistants" -Role "Distribution Groups" -SecurityGroup "North America Exec Assistants" -CustomRecipientWriteScope "North America Recipients"

    The assignment restricts the recipient write scope of the role to the scope specified in the North America Recipients custom recipient management scope. Users who are members of the North America Exec Assistants role group can only create, modify, or remove distribution group objects that match the specified custom recipient management scope.

    More related informaiton to share with you:

    New-ManagementRoleAssignment
    http://technet.microsoft.com/en-us/library/dd335193.aspx

    Regards,
    Xiu
    Tuesday, February 23, 2010 7:07 AM
    Moderator
  • So I created a management scope
    New-ManagementScope "Exchange Resource Units" -RecipientRestrictionFilter { RecipientType -eq 'MailUniversalSecurityGroup' } -RecipientRoot "*****/Exchange Resource Units"

    And then the role assignment:
    New-ManagementRoleAssignment -Name "DistributionGroupsCustom_Exchange Resource Unit Managers" -SecurityGroup "****: Exchange Resource Unit Managers" -Role "DistributionGroupsCustom" -CustomRecipientWriteScope "Exchange Resource Units"


    As before when I login to the EMC with a member of the security group used above I can see all the distribution groups, in the OU specified, on the "My Organization" > "Public Groups" tab but all the properties are greyed out.


    I really think I have to have a custom config scope but there doesn't seem to be a way to set one up. Also, where are the custom read scopes? I would really only like my users to only see what they have access to manage.
    Thursday, February 25, 2010 3:44 PM
  • Hi,

    Please try to use CustomRecipientWriteScope and then check the issue again.

    Regards,
    Xiu
    Friday, February 26, 2010 2:34 AM
    Moderator
  • As I mentioned in my last post that is exactally what I tried.

    Has anyone out there got something like this to work?
    Tuesday, March 02, 2010 5:31 PM
  • Hi Tim,


     I tried the same scenorio in my lab for you.

     I could able to get it work by the following cmdlets..

     Try this Plan..
     

     New-RoleGroup -Roles "Distribution Groups","Security Group Creation and Membership" -DisplayName "EditDG" -Name "EditDG"

     Add-RoleGroupMember -Member "****: Exchange Resource Unit Managers" -Identity "EditDG"

     Login to ECP with any one of "Exchange Resource Unit Managers" member.

     You will able to Add, Manage Public Distribution Groups.

     All the Best :)
    Sathish Kumar Elango | MCSE 2003 & MCSA Messaging | http://msexchangehelp.wordpress.com
    Tuesday, March 02, 2010 10:12 PM
  • Hi Tim,


     I tried the same scenorio in my lab for you.

     I could able to get it work by the following cmdlets..

     Try this Plan..
     

     New-RoleGroup -Roles "Distribution Groups","Security Group Creation and Membership" -DisplayName "EditDG" -Name "EditDG"

     Add-RoleGroupMember -Member "****: Exchange Resource Unit Managers" -Identity "EditDG"

     Login to ECP with any one of "Exchange Resource Unit Managers" member.

     You will able to Add, Manage Public Distribution Groups.

     Refer to the following blog for more detailed screen shot based plan.
     
     How to Delegate RBAC Permission for a Mailbox or Group to Create New Public Groups in ECP ( Exchange Control Panel) – Exchange 2010
     
     http://msexchangehelp.wordpress.com/2010/03/03/how-to-delegate-rbac-permission-for-a-mailbox-or-group-to-create-new-public-groups-in-ecp-exchange-control-panel-exchange-2010/

     All the Best :)
    Sathish Kumar Elango | MCSE 2003 & MCSA Messaging | http://msexchangehelp.wordpress.com
    Wednesday, March 03, 2010 5:48 AM
  • This is great and it works IF you want to allow this access for ALL distribution groups. I need to set the scope to a particular OU not the entire organization.

    If I change the management role assignments (created when adding the role group) trying to define the OU scope using "RecipientOrganizationalUnitScope" or "CustomRecipientWriteScope" then all the distribution groups are greyed out.


    Again I'm back to needing a custom config scope and custom read scope.
    Wednesday, March 03, 2010 4:35 PM
  • I don't suppose anyone has an answer to this question yet?

    I am trying the same general configuration - we need the ability to delegate distribution group management (via ECP) to some administrators based on OU.  When creating role assignments and specifying a custom recipient write scope the ability to modify groups goes away.  When no scope is specified (e.g. Organization is used), then they have access.

    Wednesday, March 31, 2010 9:47 PM
  • Hi everyone.  I'm trying the same thing.  I had started a separate thread:

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/92925f7c-97ba-4a96-a4c4-33c193a7b201/?prof=required.

    I can't believe this would be so difficult!  This seems like such a common question.  Leave it to Microsoft to overlook the obvious!

    Any more ideas??

    Tuesday, June 01, 2010 6:51 PM
  • Anyone?
    Thursday, June 03, 2010 9:15 PM
  • Has anyone tried this is SP1 Beta to see if anything has changed?
    Wednesday, June 09, 2010 4:21 PM