Distribution Group Owner cannot manage group after migrating from 2007 to 2010

Published on
3,260 Points
1 Endorsement
Last Modified:
After a recent Outlook migration from a 2007 to 2010 environment, some issues with Distribution List owners were realized. In this article, I explain how that was rectified.

A recent move from a 2007 to 2010 Outlook and Exchange environment caused us some issues. We found that the DL (Distribution List) owner couldn't modify members in their DL. Trying presented us with the following Error Message;

Upon investigation, we found that permissions had nothing to do with the error, as all was working fine before the migration. The solution to the above problem was in Role Assignment Policy.

The default policy in 2010 does not allow users to modify memberships, even if a user is an owner of a Distribution List.

You can either change the existing  Role Assignment Policy or create a new assignment policy and assign it to all DL owners in an organization. You will need to use Exchange PowerShell or ECP in order to achieve it.

Login to ECP using an admin account and Change the default role assignment policy to include “MyDistribution Groups” (Roles & Auditing >  UserRoles)

Once done, the owner can now change memberships. This permission also allows users to create new DL through ECP, which is not desirable in some organizations. So what if only permissions to modify members is required?

You will need to use PowerShell for this scenario. We will create a New Management Role with modified permissions suitable to an organization and assign it to a default Policy.

1) Find the default Role assignment policy:

Use the following cmd:

Get-RoleAssignmentPolicy | where {$_.IsDefault –like “True” } 

2) Create New management Role:

We will make use of inbuilt management role “MyDistributionGroups” and modify the role entry.

Get the Default Role entry of “MyDistributionGroups”.

Here, the first column shows role entry, some of which are not required.

You can use the sample cmd below to create a new management role:

New-ManagementRole –Name “NewDistributionGroups” –parent “MyDistributionGroups”

The new management role will inherit all role entries of “MyDistributionGroups”.

To allow a user to modify membership, only Add-DistributionGroupMember and remove-DistributionGroupMember are required, we need to remove all others role entry.

Remove excess role entry using the following cmd :

Get-ManagemenRoleEntry “NewDistributionGroups\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry -whatif

To confirm the change, run cmd without –whatif :

Get-Managementroleentry “NewDistributionGroups\*” | where{ $_.name –like “set-distributionGroup” } | remove-managementroleentry

Likewise, use the same cmd to remove all unwanted role entries.

After removing excess role entries, confirm the changes in “NewDistributionGroups”

Now to add this Management Role “New DistributionGroups” to Default Role Assignment Policy, you can use the following cmd:

New-ManagementRoleAssignment -Role”NewDistributionGroups” –Policy “Default Role Assignment Policy”

Once done, the user will now be able to change memberships of the Distribution Group.

Click the thumbs up icon if you found this useful and leave any comments below.


Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Join & Write a Comment

Loops Section Overview
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month