Modify Distribution Group Members

endital1097Customer Engineer
Managing distribution groups always seems to be changing from one version of Exchange to the next. In Exchange 2003 you would modify the properties of the group by updating the Managed By tab and enabling the Manager can update membership list. To allow additional managers to the distribution list you needed to manually update the Active Directory security settings for the group.
 Exchange 2003 Managed By tab
You granted users permission to modify distributions groups in 2007 by running the following: Get-DistributionGroup DGName | Add-AdPermission –User manager –AccessRights WriteProperty –Properties Member. Adding additional managers became a simple task. You could also add a manager within the Exchange Management Console by modifying the properties of the distribution group on the Group Information tab.
 Exchange 2007 Group Information tab
Exchange 2010 introduced the new RBAC (Role Based Access Control) model. Anyone who has already migrated or began migrating mailboxes may have experienced the issue where users cannot modify groups they could previously. There is an excellent article that describes the cause and solution for this issue on the Exchange Team site. You may have most of your users working after running the script, while others still get the dreaded error.
Outlook errorAs an administrator you may get the following error when you run the Add-DistributionGroupMember cmdlet: You don't have sufficient permissions. This operation can only be performed by a manager of the group.

Why do you as an administrator get that error when trying to add members? Why do your users still get an error trying to update their groups? If you open the properties of the distribution group and look at the Group Information tab, you will notice that the appropriate users are not present under the managed by list. One reason they are missing is the  script used to grant users permission to modify groups in Exchange 2007 did just that and only that. Exchange 2007 also does not add anyone when the group is created (Exchange 2010 automatically adds the group creator).
 Exchange 2010 Group Information tab
Organizations that have many distribution groups and assigned permissions to modify these groups to several users have a daunting task to resolve this issue. Unless there was a way to script a solution…

The first step for resolving this issue is identifying the groups that have had their permissions modified to allow users to update group membership. To do this we want to identify all groups where there are permissions that are not inherited (we added the permission using the Add-AdPermission cmdlet), the access right is WriteProperty, and the Properties include Member (everything that was used in Exchange 2007 to grant permissions).
$groups = Get-DistributionGroup | Get-ADPermission | where { $_.Isinherited -eq $false -and $_.AccessRights -like "WriteProperty"  -and $_.Properties –like “Member” }

Open in new window

Now our variable $groups contains a list of permissions that includes the group name and the user. We need to process each entry converting the User attribute value into a usable string variable and then using that value to update the group’s ManagedBy value. If anyone has updated a user’s email addresses using the shell you will see the similarity here. The script takes the adds our new entry into the ManagedBy array and then updates the group's ManagedBy attribute with the updated array.
foreach($g in $groups) { $user = $g.user.tostring().substring($g.user.tostring().indexof("\") + 1);
                       $group = Get-DistributionGroup $g.identity; 
                      $group.ManagedBy += ( Get-Mailbox $user).distinguishedName; Set-DistributionGroup $group -ManagedBy $group.ManagedBy }

Open in new window

I recommend testing this script prior to running it in production. If you do not have a lab environment, you can create test distribution groups in a separate organizational unit and update the Get-DistributionGroups to include the –OrganizationalUnit switch.
endital1097Customer Engineer

Comments (3)



Congratulations! Your article has been published.

Page Editor

This is great.. It would be a huge help I could script it to read in a file with DL names and then convert them populating the managed by field. I attempted to do this but get an error on the following line, if ran as part of script:
foreach($g in $groups) { $user = $g.user.tostring().substring($g.user.tostring().indexof("\") + 1);

ERROR: You cannot call a method on a null-valued expression.
At C:\scripts\NEW\DL\NEW\DLmodification-FORLIST-u_test.ps1:32 char:50
+ foreach($g in $groups) { $user = $g.user.tostring <<<< ().substring($g.user.tostring().indexof("\") + 1);
    + CategoryInfo          : InvalidOperation: (tostring:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

When I run it manually, it runs fine. Am I missing something? Any Advice would be greatly appreciated.

Attached is my attempted script.

wow  I cannot believe I stumbled upon this article. I have been looking for weeks for something like this, thanks

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.