Customizing Default Role Assignment Policy So That Users Can’t Create Or Delete Distribution Groups, But Can Modify…

MS Exchange

One question I got in response to my article “Group owners cannot manage distribution groups once migrated from Exchange 2003 to 2010” was the steps required to tweak the default role assignment policy so that the owners can modify the groups, but users cannot create or delete distribution groups.

Let me explain the steps required, which have to be done in the Shell. The permissions to create/modify/delete distribution groups are in the default role named “MyDistributionGroups”. Hence, all we need to do is to take away the role entries which gives users right to create and delete a distribution group (New & Remove-DistributionGroup cmdlets). But, we don’t want to mess with the default roles and hence we will create a new role which is a child of “MyDistributionGroups”. I will name it OwnersCanModifyDistributionGroups.

Run the command below in the Shell to create the role.

New-ManagementRole -Name OwnersCanModifyDistributionGroups -Parent MyDistributionGroups

Create a new management role

Now we need to remove the new & remove-distributiongroup cmdlets from the management role. Run the following in the Shell.

Remove-ManagementRoleEntry OwnersCanModifyDistributionGroupsNew-DistributionGroup

Remove right to create a DG

Remove-ManagementRoleEntry OwnersCanmodifyDistributionGroupsRemove-DistributionGroup

Remove right to delete DG

Now that the custom role is ready, we need to add it to the default role assignment policy. This assumes that you don’t have “MyDistributionGroups” role in the policy. If you have, you need to delete it. Easiest is to use the ECP & remove the check box (follow my article mentioned in the beginning) if you are not comfortable with Shell. Run the command below to add the role to the default policy.

New-ManagementRoleAssignment -Role OwnersCanModifyDistributionGroups -Policy "Default Role Assignment Policy"

Add the new role to default policy

That’s it. Users can now modify the distribution groups they own, but can’t create or remove distribution groups.

Other Popular Articles


MS Exchange

Scripting Agent Initialization Failed: “File is not found” Error During Exchange 2016 Setup

MS Exchange

EAC Access While Co-Existing Exchange 2013 With 2010

MS Exchange

Delete All Calendar Entries In An Exchange 2010 Mailbox

7 thoughts on “Customizing Default Role Assignment Policy So That Users Can’t Create Or Delete Distribution Groups, But Can Modify…”

  1. Hi Jose – Thank you very much for providing valuable information, the solution which you have provided really helped me a lot. i need a small help can you help me with the PowerShell script for restricting modification as well .

    Reply
  2. What if what I want to achieve is to have ALL “Domain Users” to be able to modify members of certain distribution groups they DO NOT own, but can’t create or remove distribution groups?

    Really appreciate in advance if you can give some help with this. ;-)

    Cheers and thanks for the good tip.

    Reply

Leave a Comment