Permission for a user to add/modify contacts and DL only

I need to give 2 administrative assistant permissions to add contacts and DL's. We had a consultant before that was able to do this via RBAC and it worked great. The user would just use login to their webmail and configure the contacts and DL from there. I just need to know how I can do the same thing for the other 2 users.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
The administrative assistants just need to be part of the MyDistributionGroups management role, and they can then edit and maintain Distribution Groups via OWA like so -

Understanding Role Based Access Control -

Please review this article for more details on distribution group management -
CiscoAznAuthor Commented:
What about permission to create contacts?
Brad GrouxSenior Manager (Wintel Engineering)Commented:
It depends on the role given. Please see the TechNet Article I posted -

Management role group   The management role group is a special universal security group (USG) that contains mailboxes, users, USGs, and other role groups that are members of the role group. This is where you add and remove members, and it's also what management roles are assigned to. The combination of all the roles on a role group defines everything that users added to a role group can manage in the Exchange organization.

Management role   A management role is a container for a grouping of management role entries. Roles are used to define the specific tasks that can be performed by the members of a role group that's assigned the role. A management role entry is a cmdlet, script, or special permission that enables each specific task in a role to be performed. For more information, see Understanding Management Roles.

Management role assignment   A management role assignment links a role and a role group. Assigning a role to a role group grants members of the role group the ability to use the cmdlets and parameters defined in the role. Role assignments can use management scopes to control where the assignment can be used. For more information, see Understanding Management Role Assignments.

Management role scope  A management role scope is the scope of influence or impact on a role assignment. When a role is assigned with a scope to a role group, the management scope targets specifically what objects that assignment is allowed to manage. The assignment, and its scope, are then given to the members of the role group, and restrict what those members can manage. A scope can consist of a list of servers or databases, organizational units (OUs), or filters on server, database or recipient objects. For more information, see Understanding Management Role Scopes.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

CiscoAznAuthor Commented:
Not really a straight forward answer. Sending me a link instead of an example is not really a solution.
Brad GrouxSenior Manager (Wintel Engineering)Commented:
The solution is, with the correct permissions they can do what you are seeking. Clearly you aren't reading. Management Role Group can create and edit. Management Role can only edit. If you want them to be able to create, which of these two do you think they need? I'm not sure how much clearer I can spell it out for you.

If you do not understand how RBAC actually functions, I encourage you to read the TechNet article - it tells you EXACTLY what you need to do.

Jane the Administrator
Jane is an administrator for the medium-size company, Contoso. She's responsible for managing the company's recipients in their Vancouver office. When the permissions model for Contoso was created, Jane was made a member of the Recipient Management - Vancouver custom role group. The Recipient Management - Vancouver custom role group most closely matches her job's duties, which include creating and removing recipients, such as mailboxes and contacts, managing distribution group membership and mailbox properties, and similar tasks.

In addition to the Recipient Management - Vancouver custom role group, Jane also needs a role assignment policy to manage her own mailbox's configuration settings. The organization administrators have decided that all users, except for senior management, receive the same permissions when they manage their own mailboxes. They can configure their voice mail, set up retention policies and change their address information. The default role assignment policy provided with Exchange 2013 now reflects these requirements...
It then goes on to tell you exactly how to do it. I'm sorry if I don't copy and past the entire TechNet article here for you to read.
Adam FarageEnterprise ArchCommented:

Let me clarify a bit, as the answer from Brad is semi-correct. The snippet he listed above is a bit wrong depending on the scenario, and he also left out a few things on DL management.

So lets go over the mail enabled user object creation. That can be achieved by adding the user to the "Recipient Management" RBAC group ( BUT be aware that they will have a number of other permissions. If you wish to limit this down, you would need to make a custom RBAC group and assign that to the user, as that will limit them to what they can / cant do within Exchange.

You can use this article to actually create a custom RBAC group and then limit what Role Assignments are associated to it ( I would get into it, but I honestly hate RBAC as it gets convoluted fast..

As for the DL management, he is absolutely right except the user also needs to be added as a manager to this DL. You can do that by opening the DL within Exchange Management Console and then clicking on "Group Information" and then under "Managed By" click the + button and then add the users in.

Here is a good article to read up on the changes:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.