One question I got in response to my article “Group owners cannot manage distribution groups once migrated from Exchange 2003 to 2010” was the steps required to tweak the default role assignment policy so that the owners can modify the groups, but users cannot create or delete distribution groups.
Let me explain the steps required, which have to be done in the Shell. The permissions to create/modify/delete distribution groups are in the default role named “MyDistributionGroups”. Hence, all we need to do is to take away the role entries which gives users right to create and delete a distribution group (New & Remove-DistributionGroup cmdlets). But, we don’t want to mess with the default roles and hence we will create a new role which is a child of “MyDistributionGroups”. I will name it OwnersCanModifyDistributionGroups.
Run the command below in the Shell to create the role.
New-ManagementRole -Name OwnersCanModifyDistributionGroups -Parent MyDistributionGroups
Now we need to remove the new & remove-distributiongroup cmdlets from the management role. Run the following in the Shell.
Remove-ManagementRoleEntry OwnersCanModifyDistributionGroupsNew-DistributionGroup
Remove-ManagementRoleEntry OwnersCanmodifyDistributionGroupsRemove-DistributionGroup
Now that the custom role is ready, we need to add it to the default role assignment policy. This assumes that you don’t have “MyDistributionGroups” role in the policy. If you have, you need to delete it. Easiest is to use the ECP & remove the check box (follow my article mentioned in the beginning) if you are not comfortable with Shell. Run the command below to add the role to the default policy.
New-ManagementRoleAssignment -Role OwnersCanModifyDistributionGroups -Policy "Default Role Assignment Policy"
That’s it. Users can now modify the distribution groups they own, but can’t create or remove distribution groups.
Thank you!
I had this exact issue, and this was an easy fix.
Glad it helped you Henry.
Hi Rajith- i have posted a question regarding restricting modification in the distribution group can you please help me with the powershell command
Hi Jose – Thank you very much for providing valuable information, the solution which you have provided really helped me a lot. i need a small help can you help me with the PowerShell script for restricting modification as well .
What if what I want to achieve is to have ALL “Domain Users” to be able to modify members of certain distribution groups they DO NOT own, but can’t create or remove distribution groups?
Really appreciate in advance if you can give some help with this. ;-)
Cheers and thanks for the good tip.
Nice article, Saved me from following the steps at http://technet.microsoft.com/en-us/library/ee332316(v=exchg.141).aspx
Thank you Rajith
Glad that you found the article helpful Nehru.