Permissions on the MyDistributionGroups in Role Assignment Policy?

Status
Not open for further replies.
D

David Bolton

Is there any way to change the default permissions on the MyDistributionGroups in Role Assignment Policy? I do not want folks to be able to delete or create groups who I assign this role to. I want for them to be able to only add/remove recipients from the lists they manage.
 
D

David Bolton

Ripu,

This article has only very basic information regarding management of static and dynamic distribution lists. It has nothing about getting more granular on the permissions set within the RBOC interface under " Roles and Auditing" , " User Roles" .

I have a custom policy to allow specific users to manage distribution groups. When the policy is opened, it has several main heading sections, " My Contact Infromation" , " Profile Information" , " Distribution Groups" , and " Other Roles" . Under the Distribution Groups section, the first check box " MyDistributionGroups" is the one that I need to adjust.

No one but the exchange administrators should be able to create or delete groups in the GAL. But there is no (obvious) way to give folks the ability to add/remove recipients of a group they manage, without giving them the ability to create or delete groups globally.

There has to be a way to adjust the permissions. I just need to know where/how.

Thanks,

David
 
D

David Bolton

Bump

Really need some help on this one. Anyone from Microsoft know the answer?
 
S

Steve Goodman

Hi David,

I think this article is exactly what you are after. It has a script to create a child distribution group with the permissions you want (i.e. replicate the Exchange 2007 DG manager functionality - they will not be able to create or remove groups, just manage the memberships)

How to Manage Groups that I already own in Exchange 2010?

Steve

Steve Goodman
Check out my Blog for more Exchange info or find me on Twitter
 
D

David Bolton

Getting an odd error when running this script. I think I will need to contact the author to see if this runs correctly on SP1

WARNING: Found a Role with Name: MyDistributionGroupsManagement
WARNING: Trying to Modify Existing Role
Removing ability to create distribution Groups from MyDistributionGroupsManagement
Removing ability to create distribution Groups from MyDistributionGroupsManagement
WARNING: Found Existing Role Assignment: MyDistributionGroupsManagement-Distribution Group Management
WARNING: Making no modifications to Role Assignments

But am still able to add/remove DL's...
 
D

David Bolton

The author of the script says:

" You don't need to use this script in sp1 ... sp1 breaks dl management up into to my groups right out of the box.
If you run get-managementrole my* you will see all of the roles that affect this."

However, I see no way in the RBAC interface to get granular with the permissions:

Distribution groups:


MyDistributionGroups

This role enables individual users to create, modify and view distribution groups and modify, view, remove, and add members to distribution groups they own.


MyDistributionGroupsManagement


Distribution group memberships:


MyDistributionGroupMembership

This role enables individual users to view and modify their membership in distribution groups in an organization, provided that those distribution groups allow manipulation of group membership.

I obviously want folks to be able to modify, view, remove and add members of groups they manage but NOT create or delete existing global groups.

Any other ideas? Am I missing something?
 
D

David Bolton

I am still looking for help on this one.

Does anyone know the specific PS command that disables the ability for non-exchange administrators to create/delete groups? I need to default our exchange environment so group owners cannot create/delete groups in the GAL.

Running SP1, but not the lastest rollup 1...

Thanks!
 
G

Gavin-Zhang

Hi David,
The script is good, according to the script, it is to Create the new Management Role MyDistributionGroupsManagement with no
create/remove entry as MyDistributionGroups role.
So you could check that you have create the role successfully, and then check the group owner assigned role:
get-managementroleassignment -roleassignee username
check and remove the default role, and assign the cusom role to the user, and then make a test.
I would suggest that you could learn it more carefully.
Best regards!
Gavin
 
D

David Bolton

Gavin,

After your explanation, I understood. When I ran the script originally, it created that role, I just had not " unchecked" the " MyDistributionGroups" yet and made the " MyDistributionGroupsManagement" the default role for the custom user role (duh!).

Anyway, thanks. It works as we need it to now.
 
Status
Not open for further replies.
Top