Permission for a user to add/modify contacts and DL only

Posted on 2014-08-08
Last Modified: 2014-08-15
I need to give 2 administrative assistant permissions to add contacts and DL's. We had a consultant before that was able to do this via RBAC and it worked great. The user would just use login to their webmail and configure the contacts and DL from there. I just need to know how I can do the same thing for the other 2 users.
Question by:CiscoAzn
    LVL 14

    Assisted Solution

    by:Brad Groux
    The administrative assistants just need to be part of the MyDistributionGroups management role, and they can then edit and maintain Distribution Groups via OWA like so -

    Understanding Role Based Access Control -

    Please review this article for more details on distribution group management -

    Author Comment

    What about permission to create contacts?
    LVL 14

    Expert Comment

    by:Brad Groux
    It depends on the role given. Please see the TechNet Article I posted -

    Management role group   The management role group is a special universal security group (USG) that contains mailboxes, users, USGs, and other role groups that are members of the role group. This is where you add and remove members, and it's also what management roles are assigned to. The combination of all the roles on a role group defines everything that users added to a role group can manage in the Exchange organization.

    Management role   A management role is a container for a grouping of management role entries. Roles are used to define the specific tasks that can be performed by the members of a role group that's assigned the role. A management role entry is a cmdlet, script, or special permission that enables each specific task in a role to be performed. For more information, see Understanding Management Roles.

    Management role assignment   A management role assignment links a role and a role group. Assigning a role to a role group grants members of the role group the ability to use the cmdlets and parameters defined in the role. Role assignments can use management scopes to control where the assignment can be used. For more information, see Understanding Management Role Assignments.

    Management role scope  A management role scope is the scope of influence or impact on a role assignment. When a role is assigned with a scope to a role group, the management scope targets specifically what objects that assignment is allowed to manage. The assignment, and its scope, are then given to the members of the role group, and restrict what those members can manage. A scope can consist of a list of servers or databases, organizational units (OUs), or filters on server, database or recipient objects. For more information, see Understanding Management Role Scopes.

    Author Comment

    Not really a straight forward answer. Sending me a link instead of an example is not really a solution.
    LVL 14

    Expert Comment

    by:Brad Groux
    The solution is, with the correct permissions they can do what you are seeking. Clearly you aren't reading. Management Role Group can create and edit. Management Role can only edit. If you want them to be able to create, which of these two do you think they need? I'm not sure how much clearer I can spell it out for you.

    If you do not understand how RBAC actually functions, I encourage you to read the TechNet article - it tells you EXACTLY what you need to do.

    Jane the Administrator
    Jane is an administrator for the medium-size company, Contoso. She's responsible for managing the company's recipients in their Vancouver office. When the permissions model for Contoso was created, Jane was made a member of the Recipient Management - Vancouver custom role group. The Recipient Management - Vancouver custom role group most closely matches her job's duties, which include creating and removing recipients, such as mailboxes and contacts, managing distribution group membership and mailbox properties, and similar tasks.

    In addition to the Recipient Management - Vancouver custom role group, Jane also needs a role assignment policy to manage her own mailbox's configuration settings. The organization administrators have decided that all users, except for senior management, receive the same permissions when they manage their own mailboxes. They can configure their voice mail, set up retention policies and change their address information. The default role assignment policy provided with Exchange 2013 now reflects these requirements...
    It then goes on to tell you exactly how to do it. I'm sorry if I don't copy and past the entire TechNet article here for you to read.
    LVL 19

    Accepted Solution


    Let me clarify a bit, as the answer from Brad is semi-correct. The snippet he listed above is a bit wrong depending on the scenario, and he also left out a few things on DL management.

    So lets go over the mail enabled user object creation. That can be achieved by adding the user to the "Recipient Management" RBAC group ( BUT be aware that they will have a number of other permissions. If you wish to limit this down, you would need to make a custom RBAC group and assign that to the user, as that will limit them to what they can / cant do within Exchange.

    You can use this article to actually create a custom RBAC group and then limit what Role Assignments are associated to it ( I would get into it, but I honestly hate RBAC as it gets convoluted fast..

    As for the DL management, he is absolutely right except the user also needs to be added as a manager to this DL. You can do that by opening the DL within Exchange Management Console and then clicking on "Group Information" and then under "Managed By" click the + button and then add the users in.

    Here is a good article to read up on the changes:

    Featured Post

    The problems with reply email signatures

    Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

    Join & Write a Comment

    Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now