[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Modify Distribution Group Members

Published on
22,063 Points
2 Endorsements
Last Modified:
Managing distribution groups always seems to be changing from one version of Exchange to the next. In Exchange 2003 you would modify the properties of the group by updating the Managed By tab and enabling the Manager can update membership list. To allow additional managers to the distribution list you needed to manually update the Active Directory security settings for the group.
 Exchange 2003 Managed By tab
You granted users permission to modify distributions groups in 2007 by running the following: Get-DistributionGroup DGName | Add-AdPermission –User manager –AccessRights WriteProperty –Properties Member. Adding additional managers became a simple task. You could also add a manager within the Exchange Management Console by modifying the properties of the distribution group on the Group Information tab.
 Exchange 2007 Group Information tab
Exchange 2010 introduced the new RBAC (Role Based Access Control) model. Anyone who has already migrated or began migrating mailboxes may have experienced the issue where users cannot modify groups they could previously. There is an excellent article that describes the cause and solution for this issue on the Exchange Team site. You may have most of your users working after running the script, while others still get the dreaded error.
Outlook errorAs an administrator you may get the following error when you run the Add-DistributionGroupMember cmdlet: You don't have sufficient permissions. This operation can only be performed by a manager of the group.

Why do you as an administrator get that error when trying to add members? Why do your users still get an error trying to update their groups? If you open the properties of the distribution group and look at the Group Information tab, you will notice that the appropriate users are not present under the managed by list. One reason they are missing is the  script used to grant users permission to modify groups in Exchange 2007 did just that and only that. Exchange 2007 also does not add anyone when the group is created (Exchange 2010 automatically adds the group creator).
 Exchange 2010 Group Information tab
Organizations that have many distribution groups and assigned permissions to modify these groups to several users have a daunting task to resolve this issue. Unless there was a way to script a solution…

The first step for resolving this issue is identifying the groups that have had their permissions modified to allow users to update group membership. To do this we want to identify all groups where there are permissions that are not inherited (we added the permission using the Add-AdPermission cmdlet), the access right is WriteProperty, and the Properties include Member (everything that was used in Exchange 2007 to grant permissions).
$groups = Get-DistributionGroup | Get-ADPermission | where { $_.Isinherited -eq $false -and $_.AccessRights -like "WriteProperty"  -and $_.Properties –like “Member” }

Open in new window

Now our variable $groups contains a list of permissions that includes the group name and the user. We need to process each entry converting the User attribute value into a usable string variable and then using that value to update the group’s ManagedBy value. If anyone has updated a user’s email addresses using the shell you will see the similarity here. The script takes the adds our new entry into the ManagedBy array and then updates the group's ManagedBy attribute with the updated array.
foreach($g in $groups) { $user = $g.user.tostring().substring($g.user.tostring().indexof("\") + 1);
 $group = Get-DistributionGroup $g.identity; 
$group.ManagedBy += ( Get-Mailbox $user).distinguishedName; Set-DistributionGroup $group -ManagedBy $group.ManagedBy }

Open in new window

I recommend testing this script prior to running it in production. If you do not have a lab environment, you can create test distribution groups in a separate organizational unit and update the Get-DistributionGroups to include the –OrganizationalUnit switch.
LVL 15

Expert Comment

by:Eric AKA Netminder

Congratulations! Your article has been published.

Page Editor

Expert Comment

This is great.. It would be a huge help I could script it to read in a file with DL names and then convert them populating the managed by field. I attempted to do this but get an error on the following line, if ran as part of script:
foreach($g in $groups) { $user = $g.user.tostring().substring($g.user.tostring().indexof("\") + 1);

ERROR: You cannot call a method on a null-valued expression.
At C:\scripts\NEW\DL\NEW\DLmodification-FORLIST-u_test.ps1:32 char:50
+ foreach($g in $groups) { $user = $g.user.tostring <<<< ().substring($g.user.tostring().indexof("\") + 1);
    + CategoryInfo          : InvalidOperation: (tostring:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

When I run it manually, it runs fine. Am I missing something? Any Advice would be greatly appreciated.

Attached is my attempted script.


Expert Comment

wow  I cannot believe I stumbled upon this article. I have been looking for weeks for something like this, thanks

Featured Post

PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month