locked
Exchange 2010 Distribution Group Membership Management RRS feed

  • Question

  • How can I allow a Security Group access to modify membership of ALL the Distribution Groups in my organization? For example, if someone calls the helpdesk to get on a DL. I don't want to add all the members of the helpdesk to the Managed By list. Not to mention the management of Add/Deletes.

    Please help. Thanks in advance. -James

    Thursday, May 5, 2011 2:06 PM

All replies

  • Hi,

    You can delegate the management of the distribution group to a specific user, you can do it with powershell:

    Add-ADPermission -Identity <name of distribution group> -User <name of user> -AccessRights WriteProperty -Properties "Member"

     

    Best regards


    Best Regards Don't forget to mark it as answer if it helps
    Thursday, May 5, 2011 2:15 PM
  • Hi James,

    If you want someone to modify membership of all DGs(or cmdlet Add-DistributionGroupMember & Remove-DistributionGroupMember), you can assign the Distribution Groups Role to the user(USG).

    Distribution Groups Role
    Add a Role to a User or USG
    Frank Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, May 6, 2011 9:11 AM
  • Hi James,

    Any updates?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, May 9, 2011 6:03 AM
  • Hi James,

    Any updates?


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, May 11, 2011 1:17 AM
  • Sorry. Apparently my notifications are not working. Thanks for the reply. This article looks like what I need Frank, but I tried the following and it is not working.

    EMS: New-RoleGroup -Name "FISD Distribution Group Management" -Roles "Distribution Groups"

    EMS: Add-RoleGroupMember "FISD Distribution Group Management" -Member "Domain Admins"

    I had one of my team (member of Domain Admins) go into Outlook 2010 and try to modify the membership of a Distribution Group. Got the same error as before that he did not have sufficient privileges.


    Wednesday, May 11, 2011 9:09 PM
  • Hi James,

    You can manage the DL in EMC & EMS as I said.

    If you want to manage group in Outlook 2010, please see:

    How to Manage Groups that I already own in Exchange 2010?

    http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx

    Frank Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, May 12, 2011 6:05 AM
  • Ok, I did not say in the beginning that I wanted to use Outlook to manage DL memberships, but yes, that is what I want to do. As I did state though, I do not want to add multiple users/groups to the "Managed By" list. In this scenerio we would have to add the group in question to each new DL when it was created. Is there no way that users could be assigned a role/permissions to do this and NOT be in the Managed By list?
    Thursday, May 12, 2011 12:32 PM
  • Hi James...

    There are modifications in Exchange 2010 and one those is the manner as you will allow managers to manage a distribution group. You need to use RBAC for granting permissions.

    "If you want that all the owners of a distribution list can manage there own distribution list follow the steps below. With the great feature RBAC (Role Based Access Control) in Exchange 2010 we are able to give the users the right permissions to manage there own distribution lists. So we have more time to drink coffee."

    You will need to do a RBAC role and personalize because if you follow the article you will give permission for all users in the organization. After create a Role you will need to apply them just to the security group

    I suggest that you see this article: http://www.more2know.nl/2010/09/30/exchange-2010-sp1-unable-to-manage-distribution-groups/

    http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx

     


    MCP, MCSA, MCTS 7, MCITP SA, MCITP Messaging

    *Best Regards Don't forget to mark it as answer if it helps

    • Edited by RPeluffo Monday, May 23, 2011 4:54 PM correction
    Monday, May 23, 2011 4:52 PM
  • RPeluffo, thanks, but that is not what I am looking for. I already have set owners to be able to modify their DL's. What I need now is to add a USG access to modify membership of ALL the DL's in my org without being a member of the "Managed By" list. Thanks.
    Tuesday, May 24, 2011 1:09 PM
  • Is this not possible in Exchange 2010? Anyone?
    Wednesday, June 15, 2011 3:07 PM
  • James, I'm pretty much in the same boat as you on this. It seems like Outlook 2010 in an Exchange 2010 environment is not capable of doing this. From my experience, even with every possible RBAC permission granted to someone they will not be able to manage the DL through Outlook 2010 UNLESS they are also listed under the "managed-by" for that distribution list. I don't know who designed it this way, or what they were thinking, but it seems like a very bad idea to me and a lot of tedious and unneccessary micro-management for distribution lists.

    If anyone can contradict the above statement, then please share your secret.

    • Proposed as answer by Wang Huang Sunday, February 3, 2013 11:40 PM
    Thursday, July 14, 2011 9:52 PM
  • I'm just glad someone understands what I am talking about. There has to be some way to do it though. Me, as a domain/enterprise/schema admin and whatever else I have.....I CAN update any group even though I am not a member of "Managed By". Maybe there is hope?
    Thursday, July 14, 2011 10:13 PM
  • Hi James,

     

    have you tried to assign the RBAC role to these users that need to change the DL's?

    Look this:

    http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx

    Maybe you will need to customize for you environment.

     


    MCSA, MCTS 7, MCITP SA, MCITP EA, MCITP Messaging *Best Regards Don't forget to mark it as answer if it helps
    Monday, August 15, 2011 7:01 PM
  • Put all required users in security group and make security group as member of "Exchange Recipient Administrators" from Aative directory users and computers or ECP of 2010.
    • Proposed as answer by Lalit Bisht Wednesday, April 17, 2013 6:02 AM
    • Unproposed as answer by JamesU Wednesday, April 17, 2013 4:27 PM
    • Proposed as answer by Lalit Bisht Thursday, May 2, 2013 1:53 PM
    Wednesday, April 17, 2013 6:02 AM
  • Maybe you are refering to Exchange 2007? I don't see a "Exchange Recipient Administrators" group in Active Directory. Also, ECP? There is EMC and EMS for 2010, but I do not know of ECP.

    If you could provide more detailed instructions, maybe I could find these things.

    Wednesday, April 17, 2013 4:13 PM
  • ECP is new feature in Exchange 2010, stands for "Exchange Control Panel"....you can access ECP url through

    https://<your webmail URL>/ecp

    also you can find the "Exchange Recipient Administrators" group in Entire directory while searching in Active directory of your resource forest where exchange servers are installed.

    Hope it clears to you...

    • Proposed as answer by Lalit Bisht Thursday, May 2, 2013 1:58 PM
    • Unproposed as answer by JamesU Thursday, May 2, 2013 6:45 PM
    Thursday, May 2, 2013 1:58 PM
  • Ok, I did not know that section of OWA had a name. Sorry.

    I have searched my AD for "exchange recipient administrators", "exchange", "recipient", etc and cannot find that specific group. The closest group I have is Recipient Mangement, but when I add a user to the group to test, it does not work.

    The more I research, I think that group was introduced in Exchange 2007. You probably upgraded to 2010 which migrated the group. We instead did a fresh install of 2010 so the group is not there.

    I did also use the ECP to add the "Organization Management" role to an account and then tested as well. Still not able to modify distribution groups.

    Still looking for an answer.

    Thursday, May 2, 2013 6:45 PM
  • I may be misguided, but I think I see where the issue is. The Recipient Management Role Group contains the Distribution Groups Role which allows the Add-DistributionGroupMember cmdlet. The default for this cmdlet is to check if the executing user is listed as the manager for the distribution list. Alternatively, you can specify the -BypassSecurityGroupManagerCheck parameter which allow the command to complete successfully.

    I believe that if the default of the cmdlet was to NOT check, things would all be working fine. My entire goal here is to allow updating without being the manager.

    Does anyone know if it is possible to create a new Role which I can manually set the default parameters for cmdlets it contains?

    Thursday, May 2, 2013 8:44 PM