Distribution Group Owner cannot manage group after migrating from 2007 to 2010

Hasin Ahmed ChoudharyExchange Administrator
CERTIFIED EXPERT
Published:
Updated:
After a recent Outlook migration from a 2007 to 2010 environment, some issues with Distribution List owners were realized. In this article, I explain how that was rectified.

A recent move from a 2007 to 2010 Outlook and Exchange environment caused us some issues. We found that the DL (Distribution List) owner couldn't modify members in their DL. Trying presented us with the following Error Message;




Upon investigation, we found that permissions had nothing to do with the error, as all was working fine before the migration. The solution to the above problem was in Role Assignment Policy.


The default policy in 2010 does not allow users to modify memberships, even if a user is an owner of a Distribution List.


You can either change the existing  Role Assignment Policy or create a new assignment policy and assign it to all DL owners in an organization. You will need to use Exchange PowerShell or ECP in order to achieve it.


Login to ECP using an admin account and Change the default role assignment policy to include “MyDistribution Groups” (Roles & Auditing >  UserRoles)



Once done, the owner can now change memberships. This permission also allows users to create new DL through ECP, which is not desirable in some organizations. So what if only permissions to modify members is required?


You will need to use PowerShell for this scenario. We will create a New Management Role with modified permissions suitable to an organization and assign it to a default Policy.


1) Find the default Role assignment policy:


Use the following cmd:


Get-RoleAssignmentPolicy | where {$_.IsDefault –like “True” } 



2) Create New management Role:


We will make use of inbuilt management role “MyDistributionGroups” and modify the role entry.

Get the Default Role entry of “MyDistributionGroups”.



Here, the first column shows role entry, some of which are not required.


You can use the sample cmd below to create a new management role:


New-ManagementRole –Name “NewDistributionGroups” –parent “MyDistributionGroups”


The new management role will inherit all role entries of “MyDistributionGroups”.



To allow a user to modify membership, only Add-DistributionGroupMember and remove-DistributionGroupMember are required, we need to remove all others role entry.


Remove excess role entry using the following cmd :


Get-ManagemenRoleEntry “NewDistributionGroups\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry -whatif


To confirm the change, run cmd without –whatif :


Get-Managementroleentry “NewDistributionGroups\*” | where{ $_.name –like “set-distributionGroup” } | remove-managementroleentry


Likewise, use the same cmd to remove all unwanted role entries.


After removing excess role entries, confirm the changes in “NewDistributionGroups”



Now to add this Management Role “New DistributionGroups” to Default Role Assignment Policy, you can use the following cmd:


New-ManagementRoleAssignment -Role”NewDistributionGroups” –Policy “Default Role Assignment Policy”


Once done, the user will now be able to change memberships of the Distribution Group.


Click the thumbs up icon if you found this useful and leave any comments below.





1
3,926 Views
Hasin Ahmed ChoudharyExchange Administrator
CERTIFIED EXPERT

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.