Monday, January 9, 2012

Assign user rights to modify distribution group membership

A colleague of mine here at 4Logic today needed to perform a simple task in an Exchange 2010 environment today to allow designated users to administer distribution groups in Exchange 2010. Most Microsoft documentation suggesting adding the RBAC Administration role “Distribution Groups” to the user. This created security implementations as any user which was a member of this group, could manage all distribution groups within the organisation.

My colleague eventually worked this out by discovering RBAC user role of "MyDisturbtionGroups" allows users to manage distribution groups that they are an owner of (via Outlook and Exchange Control Panel).

Note: The group owner is controlled by the "Managed By" property.

He enabled this role by using the following PowerShell command:

New-ManagementRoleAssignment -Role MyDistributionGroups -Policy "Default Role Assignment Policy"

The role group however also allows owners of a distribution group to delete the distribution group.

If you want to allow users to only modify group membership a custom RBAC management role is required. The following commands create a custom management role which only allows a user in the "Managed By" field of a group to modify a groups membership.

New-ManagementRole -Name UpdateAddressLists -Parent MyDistributionGroups

Remove-ManagementRoleEntry UpdateAddressLists\New-DistributionGroup -Confirm:$false

Remove-ManagementRoleEntry UpdateAddressLists\Remove-DistributionGroup -Confirm:$false

New-ManagementRoleAssignment -Role UpdateAddressLists -Policy "Default Role Assignment Policy"

1 comment:

  1. You have described it very well. Now a day, I feel that, no need to go out of the internet because Internet itself, showing many different and unknown information to us. Today I have got an useful information from your blog...