<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Distribution Group Owner cannot manage group after migrating from 2007 to 2010

Published on
3,617 Points
517 Views
1 Endorsement
Last Modified:
After a recent Outlook migration from a 2007 to 2010 environment, some issues with Distribution List owners were realized. In this article, I explain how that was rectified.

A recent move from a 2007 to 2010 Outlook and Exchange environment caused us some issues. We found that the DL (Distribution List) owner couldn't modify members in their DL. Trying presented us with the following Error Message;




Upon investigation, we found that permissions had nothing to do with the error, as all was working fine before the migration. The solution to the above problem was in Role Assignment Policy.


The default policy in 2010 does not allow users to modify memberships, even if a user is an owner of a Distribution List.


You can either change the existing  Role Assignment Policy or create a new assignment policy and assign it to all DL owners in an organization. You will need to use Exchange PowerShell or ECP in order to achieve it.


Login to ECP using an admin account and Change the default role assignment policy to include “MyDistribution Groups” (Roles & Auditing >  UserRoles)



Once done, the owner can now change memberships. This permission also allows users to create new DL through ECP, which is not desirable in some organizations. So what if only permissions to modify members is required?


You will need to use PowerShell for this scenario. We will create a New Management Role with modified permissions suitable to an organization and assign it to a default Policy.


1) Find the default Role assignment policy:


Use the following cmd:


Get-RoleAssignmentPolicy | where {$_.IsDefault –like “True” } 



2) Create New management Role:


We will make use of inbuilt management role “MyDistributionGroups” and modify the role entry.

Get the Default Role entry of “MyDistributionGroups”.



Here, the first column shows role entry, some of which are not required.


You can use the sample cmd below to create a new management role:


New-ManagementRole –Name “NewDistributionGroups” –parent “MyDistributionGroups”


The new management role will inherit all role entries of “MyDistributionGroups”.



To allow a user to modify membership, only Add-DistributionGroupMember and remove-DistributionGroupMember are required, we need to remove all others role entry.


Remove excess role entry using the following cmd :


Get-ManagemenRoleEntry “NewDistributionGroups\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry -whatif


To confirm the change, run cmd without –whatif :


Get-Managementroleentry “NewDistributionGroups\*” | where{ $_.name –like “set-distributionGroup” } | remove-managementroleentry


Likewise, use the same cmd to remove all unwanted role entries.


After removing excess role entries, confirm the changes in “NewDistributionGroups”



Now to add this Management Role “New DistributionGroups” to Default Role Assignment Policy, you can use the following cmd:


New-ManagementRoleAssignment -Role”NewDistributionGroups” –Policy “Default Role Assignment Policy”


Once done, the user will now be able to change memberships of the Distribution Group.


Click the thumbs up icon if you found this useful and leave any comments below.





1
Comment
0 Comments

Featured Post

Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

Join & Write a Comment

Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month