Distribution Group Owner cannot manage group after migrating from 2007 to 2010

Published on
3,184 Points
1 Endorsement
Last Modified:
After a recent Outlook migration from a 2007 to 2010 environment, some issues with Distribution List owners were realized. In this article, I explain how that was rectified.

A recent move from a 2007 to 2010 Outlook and Exchange environment caused us some issues. We found that the DL (Distribution List) owner couldn't modify members in their DL. Trying presented us with the following Error Message;

Upon investigation, we found that permissions had nothing to do with the error, as all was working fine before the migration. The solution to the above problem was in Role Assignment Policy.

The default policy in 2010 does not allow users to modify memberships, even if a user is an owner of a Distribution List.

You can either change the existing  Role Assignment Policy or create a new assignment policy and assign it to all DL owners in an organization. You will need to use Exchange PowerShell or ECP in order to achieve it.

Login to ECP using an admin account and Change the default role assignment policy to include “MyDistribution Groups” (Roles & Auditing >  UserRoles)

Once done, the owner can now change memberships. This permission also allows users to create new DL through ECP, which is not desirable in some organizations. So what if only permissions to modify members is required?

You will need to use PowerShell for this scenario. We will create a New Management Role with modified permissions suitable to an organization and assign it to a default Policy.

1) Find the default Role assignment policy:

Use the following cmd:

Get-RoleAssignmentPolicy | where {$_.IsDefault –like “True” } 

2) Create New management Role:

We will make use of inbuilt management role “MyDistributionGroups” and modify the role entry.

Get the Default Role entry of “MyDistributionGroups”.

Here, the first column shows role entry, some of which are not required.

You can use the sample cmd below to create a new management role:

New-ManagementRole –Name “NewDistributionGroups” –parent “MyDistributionGroups”

The new management role will inherit all role entries of “MyDistributionGroups”.

To allow a user to modify membership, only Add-DistributionGroupMember and remove-DistributionGroupMember are required, we need to remove all others role entry.

Remove excess role entry using the following cmd :

Get-ManagemenRoleEntry “NewDistributionGroups\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry -whatif

To confirm the change, run cmd without –whatif :

Get-Managementroleentry “NewDistributionGroups\*” | where{ $_.name –like “set-distributionGroup” } | remove-managementroleentry

Likewise, use the same cmd to remove all unwanted role entries.

After removing excess role entries, confirm the changes in “NewDistributionGroups”

Now to add this Management Role “New DistributionGroups” to Default Role Assignment Policy, you can use the following cmd:

New-ManagementRoleAssignment -Role”NewDistributionGroups” –Policy “Default Role Assignment Policy”

Once done, the user will now be able to change memberships of the Distribution Group.

Click the thumbs up icon if you found this useful and leave any comments below.


Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Join & Write a Comment

As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
There may be issues when you are trying to access Outlook or send & receive emails or due to Outlook crash which leads to corrupt or damaged PST file. To eliminate the corruption from your PST file, you need to repair the corrupt Outlook PST file. U…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month